microsoft networking academy · microsoft networking academy •intro –networking from 0-60...

Microsoft Networking Academywith the C+E Global Black Belts

Olivier Martin (@omartin) – Networking TSP GBB

Kevin Lopez (@kevlopez) – ER Partner Sales Executive GBB

Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive GBB

Eddie Villalba (@edvilla) – Networking and Open Source TSP GBB

Bryan Woodworth (@brwoodwo) – Networking TSP GBB

Before we get started

• Welcome customers and partners!!!

• Material is public information No NDA info here.

• Use the IM window for questions.

• Sessions are recorded and posted here :

https://aka.ms/mna

https://aka.ms/mna

• Introductory Sessions (200 level)• Quick overview or what’s new this week (5-10 minutes)

• Partner Spotlight of the week (35-45 minutes)

• Q&A (10 minutes)

• Deep Dive Sessions (300-400 level)• Short introduction (5 minutes)

• Deeper dive topic of the week (35-45 minutes)

• Q&A (10 minutes)

• Email [email protected] to receive detailed schedules for upcoming sessions!

• Available on Channel 9!

Microsoft Networking Academy

mailto:[email protected]

• Intro – Networking from 0-60

• Partner Spotlight – Security in the Azure cloud using Palo Alto Network’s virtual appliances

• Ask the Experts Q&A

Agenda for May 26th, 2017 – Episode #9

Atlanta

Chicago

Los Angeles

Seattle

Silicon Valley Washington DC

AmsterdamDublin

London

Sao Paulo

Chennai

Hong Kong

Mumbai

Melbourne

Osaka

Singapore

Sydney

TokyoLas Vegas

TorontoMontreal

Quebec City

New York City

Dallas

Newport, WalesParis Beijing

Shanghai

Berlin

Frankfurt

Dallas

Washington DC

New York

Chicago

US Government

Germany

China

Azure Active Directory

Azure subscription

Azure subscription

Azure subscription

AccessControl

AccessControl

AccessControl

Virtual Network Virtual Network Virtual NetworkVirtual Network

FW FW

IIS IIS

SQL

IIS IIS

SQL

FW FW

IIS IIS

SQL

FW FW

IIS IIS

SQLExpressRoute ExpressRoute

Internet Internet Internet Internet

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Partner SpotlightPalo Alto Networks

PALO ALTO NETWORKSNEXT-GENERATION SECURITY PLATFORM

14

To protect our way of

life in the digital age

by preventing

successful cyber

attacks.

Mission

15

To be the leading

independent security

company by building

the world’s most

innovative and

effective security

platform.

Strategic Direction

-

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

16

Q2 FY17 Highlights

15,500+ Wildfire Customers

875 Traps CustomersMore than 1M Nodes Protected

2,500+ VM-Series Customers

What’s changed?

17 | © 2015, Palo Alto Networks. Confidential and Proprietary.

THE EVOLUTION OF THE ATTACKER

$445CYBERCRIME NOW

billion industry

100+ nations

CYBER WARFARE

What’s changed?

Known threats

Org

an

iza

tion

al riskIdentity compromise

Zero-day exploits / vulnerabilities

Evasive command-and-control

Unknown & polymorphic malware

Mobility threat

THE EVOLUTION OF THE ATTACK


Failure of legacy security architectures


Anti-APT for

port 80 APTs

Anti-APT for

port 25 APTs

Endpoint AV

DNS protection cloud

Network AV

DNS protection for

outbound DNS

Anti-APT cloud

Internet

Enterprise Network

UTM/Blades

Limited visibility Manual responseLacks correlation

Vendor 1

Vendor 2

Vendor 3

Vendor 4

Internet Connection

Malware Intelligence

DNS AlertEndpoint Alert

AV Alert

SMTP Alert

AV Alert

Web Alert

Web Alert

SMTP Alert

DNS Alert

AV Alert

DNS Alert

Web Alert

Endpoint Alert

Requirements for the future

DETECT AND PREVENT THREATS AT EVERY POINT ACROSS THE ORGANIZATION

At the internet

edge

Between employees

and devices within

the LAN

At the data center

edge, and

between VM’s

At the mobile

device

Cloud

Within private,

public and hybrid

clouds


Traps

Delivering continuous innovation

GlobalProtect

WildFire

AutoFocus

Aperture

Threat Prevention

URL Filtering


A complete security architecture

Enterprise network

Public

cloud

Private

Cloud


Security: A Shared Responsibility

Cloud Infrastructure & Services

Compute Storage Database Networking

Encryption Key

Management

Client & Server

EncryptionNetwork Traffic

Protection

Platform, Applications, Identity & Access Management

Operating System, Network & Firewall Configuration

Customer content

Customers are responsible for their security IN the cloud

Azure looks after security OF the cloud

VM-Series for Microsoft Azure

Deployment Use CasesProtect your Azure deployment just as you would your data center

Hybrid Segmentation Internet Gateway Remote Access

Securely deploy applications in your data

center or in the cloud

Separate data and applications for compliance

and security

Protect Internet facing applications

Security consistency for your network, your cloud,

and your devices

Bring your own license (BYOL) Pay as you go (PAYG)

Best suited for: Long running, steady-state deployments that

may scale over time

On-demand, utility-style, elastic deployments

Comparable to: Buy Rent

Costs? CapEx (initial purchase in year 1)

Opex (annual renewal after that)

Fixed rate for duration of use, initial annual

license and subsequent renewal. OPEX

Supported environments All hypervisors supported - move licenses

between any supported hypervisor or public

cloud

Azure only

Licensing, Subscription,

Support options?

Use any combination of capacity SKU (VM-

100, -200, -300, -1000-HV), subscriptions

and support

Bundle 1 or Bundle 2 with no option to mix and

match licenses, subscriptions or support

programs

US Gov. Support? Yes. Federal Agencies can purchase USG

support for the VM-Series

No. Premium support is included with both

bundles; no option to purchase USG

Pricing flexibility? High volume purchase discounts apply Fixed pricing in Azure Marketplace: Azure -

hourly subscription for Bundle 1 or Bundle 2.

No annual option.

Licensing Models: BYOL or PAYG Subscription?


The VM-Series ELA


▪ Launched worldwide in November 2016

▪ Based on existing and projected use of VM-Series firewalls

▪ One ELA per model

▪ Designed to incent fast adoption

▪ Unbounded with no true up within term

▪ Designed to account for customer ramp

▪ 1 and 3 Year term options

▪ Works in all supported environments

▪ ~$150k list price is target minimum*

Term VM-Series VM-Panorama

Support and

updates

Subscriptions

The VM-Series ELA is an unbounded subscription based model that includes a specific VM-Series model, VM Panorama, subscriptions and support into a single, easy to order

and easy to deploy bundle

New

*Minimum still being finalized

• Consistent security on all supported platforms

• Cost savings as more of the platform is utilized

• Predictable opex even if deployments happen faster than planned

• No true ups and ability to reset plan at term end

• Greatly simplifies operations with single auth code (vs. 100’s to 1,000’s)

28 | ©2014, Palo Alto Networks. Confidential and Proprietary.

What are the benefits of the VM-Series ELA?

in

VNET / User Defined Routes Introduction

Zero Trust

Assume that no user, interface, application, etc. is automatically trusted

Segment the network and force all traffic through a control point for inspection.

The cloud makes this easier to do at scale

MGMTPrivate IP: 10.0.2.4

MGMTSubnet: 10.0.0.0/24

UntrustPrivate IP: 10.0.1.4

UntrustSubnet: 10.0.1.0/24

TrustPrivate IP: 10.0.2.4

TrustSubnet: 10.0.2.0/24

DMZPrivate IP: 10.0.3.4

DMZSubnet: 10.0.3.0/24

NATPrivate IP: 10.0.10.4

NATSubnet: 10.0.10.0/24

Internal-LBPrivate IP: 10.0.4.4

Internal-LBSubnet: 10.0.4.0/24

WEBPrivate IP: 10.0.5.4

WEBSubnet: 10.0.5.0/24

VNET setup in Azure

MGMTPrivate IP: 10.0.2.4

UntrustPrivate IP: 10.0.1.4


TrustPrivate IP: 10.0.2.4


DMZPrivate IP: 10.0.3.4



NATSubnet: 10.0.10.0/24

Internal-LBPrivate IP: 10.0.4.4




How new VNETers think VNETs workMGMTSubnet: 10.0.0.0/24



NATSubnet: 10.0.10.0/24







How new VNETers think VNETs work



NATSubnet: 10.0.10.0/24





NATPrivate IP: 10.0.10.6 WEB

Private IP: 10.0.5.5

.1.1

.1

.1

.1

.1 .1

How new VNETers think VNETs work



NATSubnet: 10.0.10.0/24





.1.1

.1

.1

.1

.1 .1



How VNETs ACTUALLY work



NATSubnet: 10.0.10.0/24







User Defined Routes- UDRs



NATSubnet: 10.0.10.0/24







.4

.4

Basic Three-Tier Application

WebPrivate IP: 10.0.2.5

WebSubnet: 10.0.2.0/24

eth2 -> ethernet1/2Private IP: 10.0.7.4

eth1 -> ethernet1/1Private IP: 10.0.1.4Public IP: 52.173.129.45


TrustSubnet: 10.0.7.0/24UDR: 0.0.0.0/0 -> 10.0.7.4

APPPrivate IP: 10.0.3.5

APPSubnet: 10.0.3.0/24

DBPrivate IP: 10.0.4.5

DBSubnet: 10.0.4.0/24

Internet

UserIP: 199.167.52.5

Express Route GatewaySubnet: 10.0.9.0/28

Express Route / VPN TunnelPrivate Peering

Customer DCSubnet: 172.16.0.0/16

Typical Deployment Model


WebSubnet: 10.0.2.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4


eth1 -> ethernet1/1Private IP: 10.0.1.4Public IP: 52.173.129.45

UntrustSubnet: 10.0.1.0/24UDR: 0.0.0.0/0 -> InternetUDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 172.16.2.0/16 -> Express Route.Trust

Subnet: 10.0.7.0/24UDR: 0.0.0.0/0 -> 10.0.7,4

Routing Table0.0.0.0/0 -> 10.0.1.110.0.2.0/24-> 10.0.7.110.0.3.0/24-> 10.0.7.110.0.4.0/24-> 10.0.7.1172.16.0.0/16 ->10.0.1.1


APPSubnet: 10.0.3.0/24UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4


DBSubnet: 10.0.4.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4

Express Route UDRSubnet: 10.0.9.0/24UDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 10.0.8.0/24->10.0.1.4

Internet

UserIP: 199.167.52.5


Express Route / VPN TunnelPrivate Peering


Typical Deployment ModelUDRs


WebSubnet: 10.0.2.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4


eth1 -> ethernet1/1Private IP: 10.0.1.4Public IP: 52.173.129.45 Untrust

Subnet: 10.0.1.0/24UDR: 0.0.0.0/0 -> InternetUDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 172.16.2.0/16 -> Express Route.

TrustSubnet: 10.0.7.0/24UDR: 0.0.0.0/0 -> 10.0.7,4

Routing Table0.0.0.0/0 -> 10.0.1.110.0.2.0/24-> 10.0.7.110.0.3.0/24-> 10.0.7.110.0.4.0/24-> 10.0.7.1172.16.0.0/16 ->10.0.1.1




APPSubnet: 10.0.3.0/24UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 10.0.4.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4


DBSubnet: 10.0.4.0/24UDR: 10.0.3.0/24 -> 10.0.7.4UDR: 10.0.2.0/24 -> 10.0.7.4UDR: 172.16.0.0/16 -> 10.0.7.4UDR: 0.0.0.0/0 -> 10.0.7.4

Express RoutePrivate Peering

Domain TrustSubnet: 10.0.8.0/24UDR: 0.0.0.0/0 -> 10.0.8.4



Express Route UDRSubnet: 10.0.9.0/24UDR: 10.0.2.0/24 -> 10.0.1.4UDR: 10.0.3.0/24 -> 10.0.1.4UDR: 10.0.4.0/24 -> 10.0.1.4UDR: 10.0.7.0/24 -> 10.0.1.4UDR: 10.0.8.0/24->10.0.1.5

Routing Table0.0.0.0/0 -> 10.0.1.110.0.2.0/24-> 10.0.1.110.0.3.0/24-> 10.0.1.110.0.4.0/24-> 10.0.1.110.0.7.0/24-> 10.0.1.1172.16.0.0/16 ->10.0.1.1

Internet

Typical Deployment Model Express Route Connection

Multi-IP Recommended Architectures

Base Infrastructure

InternetUser

VM-Web1

VM-Web2INT-Web210.0.4.51/24

INT-Web110.0.4.50/2

AS-Web

Web - 10.0.4.0/24

HTTP/80

AS-Web

10.0.4.100

LB-WebRT-Web

0.0.0.0/0 > 10.0.3.100

10.0.0.0/16 > 10.0.3.100

10.0.4.0/24 > Virtual Network



TCP/22

AS-FW-Trust

10.0.3.100

LB-Egress

Egress - 10.0.3.0/24

Trust - 10.0.2.0/24

INT-FW2-Trust10.0.2.6/24


AS-FW-Trust

VM-FW1

VM-FW2

AS-FW

Untrust - 10.0.1.0/24

INT-FW2-Untrust10.0.1.6/24


AS-FW-Untrust

TCP/22

AS-FW-Untrust

IP-LB-Public

LB-Public

IP-FW1-Egress

IP-FW2-Egress

SNAT: INT-FWX-Trust

DNAT: 10.0.4.100

Inbound Request

InternetUser

VM-Web1


INT-Web110.0.4.50/2

AS-Web

Web - 10.0.4.0/24

HTTP/80

AS-Web

10.0.4.100

LB-WebRT-Web

0.0.0.0/0 > 10.0.3.100

10.0.0.0/16 > 10.0.3.100




Trust - 10.0.2.0/24



AS-FW-Trust

VM-FW1

VM-FW2

AS-FW

Untrust - 10.0.1.0/24



AS-FW-Untrust

TCP/22

AS-FW-Untrust

IP-LB-Public

LB-Public

IP-FW1-Egress

IP-FW2-Egress

SNAT: INT-FWX-Trust

DNAT: 10.0.4.100

Enable Floating IP

Inbound Response

InternetUser

VM-Web1


INT-Web110.0.4.50/2

AS-Web

Web - 10.0.4.0/24

HTTP/80

AS-Web

10.0.4.100

LB-WebRT-Web

0.0.0.0/0 > 10.0.3.100

10.0.0.0/16 > 10.0.3.100




Trust - 10.0.2.0/24



AS-FW-Trust

VM-FW1

VM-FW2

AS-FW

Untrust - 10.0.1.0/24



AS-FW-Untrust

TCP/22

AS-FW-Untrust

IP-LB-Public

LB-Public

IP-FW1-Egress

IP-FW2-Egress

The load balancer will transparently SNAT

the outbound response to IP-LB-Public

SNAT: INT-FWX-Trust

DNAT: 10.0.4.100

Enable Floating IP

Outbound Request

InternetUser

VM-Web1


INT-Web110.0.4.50/2

AS-Web

Web - 10.0.4.0/24

RT-Web

0.0.0.0/0 > 10.0.3.100

10.0.0.0/16 > 10.0.3.100




TCP/22

AS-FW-Trust

10.0.3.100

LB-Egress

Egress - 10.0.3.0/24

Trust - 10.0.2.0/24



AS-FW-Trust

VM-FW1

VM-FW2

AS-FW

Untrust - 10.0.1.0/24



AS-FW-Untrust

IP-FW1-Egress

IP-FW2-Egress

SNAT: INT-FWX-Untrust

Enable Floating IP

IP-FW1-Egress

Outbound Response

InternetUser

VM-Web1


INT-Web110.0.4.50/2

AS-Web

Web - 10.0.4.0/24

RT-Web

0.0.0.0/0 > 10.0.3.100

10.0.0.0/16 > 10.0.3.100




TCP/22

AS-FW-Trust

10.0.3.100

LB-Egress

Egress - 10.0.3.0/24

Trust - 10.0.2.0/24



AS-FW-Trust

VM-FW1

VM-FW2

AS-FW

Untrust - 10.0.1.0/24



AS-FW-Untrust

IP-FW2-Egress

SNAT: INT-FWX-Untrust

Health Probes

TCP/22

AS-FW-Trust

10.0.3.100

LB-Egress

Trust - 10.0.2.0/24



AS-FW-Trust

VM-FW1

VM-FW2

AS-FW

Untrust - 10.0.1.0/24



AS-FW-Untrust

TCP/22

AS-FW-Untrust

IP-LB-Public

LB-Public

The Problem:

• Health checks always source from 168.63.129.16

• A virtual router can only route an IP address one direction

High Availability Notes

Challenges

- Speed

- Connectivity

Solutions (Hint: Think “Cloudy”)

- Use services with high reliability and redundancy

- Scale out instead of up

- Spread the risk

Templates

ARM template

• Two JSON files

• Build the entire resource group, or create specific resources

• You can use more to separate resources and make it modular

• ResGp1.parameters.json: User needs to fill in: VM size, username, password…

• ResGp1.json: Main resources file{

"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

"contentVersion": "", // user-assigned label or version number of the template file

"parameters": { }, // declare stuff from the .parameters.json file

"variables": { }, // define static values you use repeatedly in the file

"resources": [ ], // this is where you ask for stuff: VM, NIC, IP... can configure their properties

"outputs": { } // output of this deployment request sent to Azure

}

For more see: https://azure.microsoft.com/en-us/documentation/articles/resource-group-authoring-templates/

https://azure.microsoft.com/en-us/documentation/articles/resource-group-authoring-templates/

Overview

• Review ARM template for deploying VM-Series• vmseries.json and vmseries.parameters.json

• Deploy via Azure CLI

azure group deployment create -g <ResourceGroup> -n <DeploymentName> \

–f vmseries.json \

-e vmseries.parameters.json -v

• Monitor progress of deployment in Azure web portal and on CLI

• Play around the Azure portal: resource group, VNET, subnets, VM’s

• Connect into VM-Series, configure DHCP on dataplane interfaces

• Review UDR route tables in Azure portal

• Learn basic debugging in Azure portal

Miscellaneous

Features Not Supported (Yet)

• (native) VM Monitoring

• Customers can create Azure PowerShell scripts to feed in DAGs for this

▪ VM Monitoring will be available in future as an addon component (scripts) similar to support for KVM/OpenStack

Questions?

Resources

- https://github.com/PaloAltoNetworks/azure/tree/master/two-tier-sample

- https://azure.microsoft.com/en-us/offers/ms-azr-0044p/

https://github.com/PaloAltoNetworks/azure/tree/master/two-tier-sample

https://azure.microsoft.com/en-us/offers/ms-azr-0044p/

Open Q&A

Thank you!Session recording will be posted shortly herehttp://aka.ms/MNA

http://aka.ms/MNA

microsoft networking academy · microsoft networking academy •intro –networking from 0-60...

Documents