microsoft networking academy · microsoft networking academy update but you can watch the archive...
TRANSCRIPT
Microsoft Networking Academywith the C+E Global Black Belts
Olivier Martin (@omartin) – Networking TSP GBB
Kevin Lopez (@kevlopez) – ER Partner Sales Executive GBB
Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive GBB
Eddie Villalba (@edvilla) – Networking and Open Source TSP GBB
Bryan Woodworth (@brwoodwo) – Networking TSP GBB
Before we get started
• Welcome customers and partners!!!
• Material is public information No NDA info here.
• Use the IM window for questions.
• Agenda is posted at http://aka.ms/mna
• Sessions are recorded and posted here :
http://aka.ms/mna-ch9
Summer time… going on hiatus.
Microsoft Networking Academy Update
But you can watch the archive on Channel 9 : http://aka.ms/mna-ch9
Other infos on the Series
http://aka.ms/MNA
• Introduction
•New things in Networking this month
•Deep dive on Application Gateway/Web Application Firewall
•Open Q&A
Agenda for June 9th, 2017
New Virtual Network Gateway (VPN) SKUs!
Performance : Basic 100 Mbps
VpnGw1 500 Mbps
VpnGw2 1,000 Mbps
VpnGw3 1,250 Mbps
New crypto support :
• Diffie Hellman Group 1, 2, 14, 24, ECP256 & ECP384
IPsec Policy configurations
• Why to use that?
Can connect policy-based device to route-based GW
• Traffic Selectors for multiple policy-based devices
Azure Load Balancer hierarchy
AZURE
SERVICE
WHAT EXAMPLE
Traffic
Manager
(TM)
Cross-region
redirection
and
availability
http://news.com
apac.news.com
emea.news.com
us.news.com
Azure Load
Balancer
(SLB, ILB)
In-region
scalability and
availability
emea.news.com AppGw1
AppGw2
AppGw2
Azure
Application
Gateway
(AppGW)
URL/content-
based routing
and Load
Balancing
news.com/top news
news.com/sports
news.com/images
VMs Web servers IIS, Apache, Tomcat
Azure Traffic Manager (DNS load balancer)
Internet
ApplicationGateway
ApplicationGateway
ApplicationGateway
VM VMVM VM VM
ApplicationGateway
VM VM VM
Addressing
Transport
Application
Feature Coverage Deployment
Addressing
Transport
Application
Traffic Manager DNS Infrastructure
Load Balancer Layer 4 (TCP/UDP) Infrastructure
Application Gateway Layer 7 (HTTP/HTTPS) Dedicated
Enhanced connectivity options
Cloud
Service
VNET 1
VNET 2
Cloud
Service
HTTPS
• Round robin load distribution
• Backend comprises of
• VMs via NICs
• Internal IP
• External Public IP
• VMSS
• Connect across
• VMs in same VNet
• VMs across connected VNets
• Cloud services
• On premises VMs
Application
Gateway
SSL management
Application
Gateway
HTTPS TLS1.1
Backend
Pool 1
Backend
Pool 2
Whitelist
• SSL terminationIncreased web farm productivity
• Central SSL management
• User configurable SSL policy
• Allow/block SSL protocols
• Ciphers
• End to end SSL encryption
• Secure backend communication
• Enable whitelisting
URL routing and multi-site support
• URL based routing
• Backend pool selection based
on request path
• Configure up to 20 backend
pools
• Multi site support
• Pack up to 20 different domains
or subdomains
• Each domain to its own backend
pool
• SSL offload via Server Name
Indication (SNI)
fabrikam.com
contoso.com/video/*
Videos
Images
contoso.com/images/*
fabrikam.com
Application
Gateway
contoso.com
Custom probes and Micro-services
Application
Gateway
Backend Pool
• Cookie based affinity
• pin HTTP session to same
backend
• Cookie lifecycle managed by
Gateway
• Custom probes
• User defined probes
• Probe configured at
HTTPBackendSettings
• Multiple probes to same VM on
different ports
• Each port running a different
service
Diagnostics
• Integrated with Azure Monitor for customer access
• Access logs • Logs each request/response
• Log frequency every 5 mins
• Performance logs• Logs gateway instance data
• Log frequency every 1 min
• Backend health logs
• WAF logs
• Metrics data• Alerts
• Webjobs
{"instanceId":"ApplicationGatewayRole_IN_1","healthyHostCount":"4","unHealthyHostCount":"0","requestCount":"185","latency":"0","failedRequestCount":"0","throughput":"119427"
}
{"instanceId":"ApplicationGatewayRole_IN_0","clientIP":"37.186.113.170","clientPort":"12345","httpMethod":"HEAD","requestUri":"/xyz/portal","requestQuery":"","userAgent":"-","httpStatus":"200","httpVersion":"HTTP/1.0","receivedBytes":"27","sentBytes":"202","timeTaken":"359","sslEnabled":"off"
}
Protect applications from web based intrusions
Highly available, fully managed
Built using ModSecurity Core Rule
Set most popular WAF deployment
Wide community support
Preconfigured with OWASP core rule set for common top 10 web vulnerabilities protection
SQL Injection
XSS attacks
Valid request
SQL Injection×
XSS attack× Application
Gateway
WAF
L7 LB
Application
Gateway
WAF
L7 LB
Site 1
Site 2
ProvisioningWAF SKU for Application Gateway with WAF enabled
Available in ARM stack only
Detection and Prevention modes
Real time MonitoringWAF logs integrated with Azure Monitor
Azure Security Center
ManagePortal, PowerShell, CLI, SDK supported
Azure Security Center Azure Monitor Storage
Application
Gateway
WAF
L7 LB
RuleSet Offered▪ CRS 2.2.9
▪ CRS 3.0
Protect from▪ SQL Injection
▪ Cross site scripting
▪ Protocol violations
▪ Generic attacks
▪ HTTP rate limiting
▪ Scanner detection
▪ Session fixation
▪ LFI/RFI
Rule Configurability▪ Change RuleSet CRS 2.2.9 or CRS
3.0
▪ Enable or Disable entire RuleGroups
▪ Disable individual rules to eliminate false positives
▪ Prevention/Detection modes
RuleSet Rule Group
Rule
WAF
▪ Enable WAF log via Monitor
▪ Realtime logs to monitor attacks
▪ WAF logs integrated with▪ Customer storage account in
JSON format
▪ Event Hub
▪ OMS Log Analytics enabling search
AzureMonitor
WAF
Azure Security Center▪ Recommendation
▪ Health alerts
▪ Application health
▪ HTTP to HTTPS redirects▪ Global and path based redirects
▪ Cipher suite control
▪ Connection draining
▪ Integration with Azure Web Apps
Open Q&A
Thank you!Session recording will be posted shortly herehttp://aka.ms/MNA