Microsoft Networking Academywith the C+E Global Black Belts

Olivier Martin (@omartin) – Networking TSP GBB

Kevin Lopez (@kevlopez) – ER Partner Sales Executive GBB

Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive GBB

Eddie Villalba (@edvilla) – Networking and Open Source TSP GBB

Bryan Woodworth (@brwoodwo) – Networking TSP GBB

Before we get started

• Welcome customers and partners!!!

• Material is public information No NDA info here.

• Use the IM window for questions.

• Agenda is posted at http://aka.ms/mna

• Sessions are recorded and posted here :

http://aka.ms/mna-ch9

Summer time… going on hiatus.

Microsoft Networking Academy Update

But you can watch the archive on Channel 9 : http://aka.ms/mna-ch9

Other infos on the Series

http://aka.ms/MNA

• Introduction

•New things in Networking this month

•Deep dive on Application Gateway/Web Application Firewall

•Open Q&A

Agenda for June 9th, 2017

New Virtual Network Gateway (VPN) SKUs!

Performance : Basic 100 Mbps

VpnGw1 500 Mbps

VpnGw2 1,000 Mbps

VpnGw3 1,250 Mbps

New crypto support :

• Diffie Hellman Group 1, 2, 14, 24, ECP256 & ECP384

IPsec Policy configurations

• Why to use that?

Can connect policy-based device to route-based GW

• Traffic Selectors for multiple policy-based devices

Azure Load Balancer hierarchy

AZURE

SERVICE

WHAT EXAMPLE

Traffic

Manager

(TM)

Cross-region

redirection

and

availability

http://news.com

apac.news.com

emea.news.com

us.news.com

Azure Load

Balancer

(SLB, ILB)

In-region

scalability and

availability

emea.news.com AppGw1

AppGw2

AppGw2

Azure

Application

Gateway

(AppGW)

URL/content-

based routing

and Load

Balancing

news.com/top news

news.com/sports

news.com/images

VMs Web servers IIS, Apache, Tomcat

Azure Traffic Manager (DNS load balancer)

Internet

ApplicationGateway

ApplicationGateway

ApplicationGateway

VM VMVM VM VM

ApplicationGateway

VM VM VM

Addressing

Transport

Application

Feature Coverage Deployment

Addressing

Transport

Application

Traffic Manager DNS Infrastructure

Load Balancer Layer 4 (TCP/UDP) Infrastructure

Application Gateway Layer 7 (HTTP/HTTPS) Dedicated

Enhanced connectivity options

Cloud

Service

VNET 1

VNET 2

Cloud

Service

HTTPS

• Round robin load distribution

• Backend comprises of

• VMs via NICs

• Internal IP

• External Public IP

• VMSS

• Connect across

• VMs in same VNet

• VMs across connected VNets

• Cloud services

• On premises VMs

Application

Gateway

SSL management

Application

Gateway

HTTPS TLS1.1

Backend

Pool 1

Backend

Pool 2

Whitelist

• SSL terminationIncreased web farm productivity

• Central SSL management

• User configurable SSL policy

• Allow/block SSL protocols

• Ciphers

• End to end SSL encryption

• Secure backend communication

• Enable whitelisting

URL routing and multi-site support

• URL based routing

• Backend pool selection based

on request path

• Configure up to 20 backend

pools

• Multi site support

• Pack up to 20 different domains

or subdomains

• Each domain to its own backend

pool

• SSL offload via Server Name

Indication (SNI)

fabrikam.com

contoso.com/video/*

Videos

Images

contoso.com/images/*

fabrikam.com

Application

Gateway

contoso.com

Custom probes and Micro-services

Application

Gateway

Backend Pool

• Cookie based affinity

• pin HTTP session to same

backend

• Cookie lifecycle managed by

Gateway

• Custom probes

• User defined probes

• Probe configured at

HTTPBackendSettings

• Multiple probes to same VM on

different ports

• Each port running a different

service

Diagnostics

• Integrated with Azure Monitor for customer access

• Access logs • Logs each request/response

• Log frequency every 5 mins

• Performance logs• Logs gateway instance data

• Log frequency every 1 min

• Backend health logs

• WAF logs

• Metrics data• Alerts

• Webjobs

{"instanceId":"ApplicationGatewayRole_IN_1","healthyHostCount":"4","unHealthyHostCount":"0","requestCount":"185","latency":"0","failedRequestCount":"0","throughput":"119427"

}

{"instanceId":"ApplicationGatewayRole_IN_0","clientIP":"37.186.113.170","clientPort":"12345","httpMethod":"HEAD","requestUri":"/xyz/portal","requestQuery":"","userAgent":"-","httpStatus":"200","httpVersion":"HTTP/1.0","receivedBytes":"27","sentBytes":"202","timeTaken":"359","sslEnabled":"off"

}

Protect applications from web based intrusions

Highly available, fully managed

Built using ModSecurity Core Rule

Set most popular WAF deployment

Wide community support

Preconfigured with OWASP core rule set for common top 10 web vulnerabilities protection

SQL Injection

XSS attacks

Valid request

SQL Injection×

XSS attack× Application

Gateway

WAF

L7 LB

Application

Gateway

WAF

L7 LB

Site 1

Site 2

ProvisioningWAF SKU for Application Gateway with WAF enabled

Available in ARM stack only

Detection and Prevention modes

Real time MonitoringWAF logs integrated with Azure Monitor

Azure Security Center

ManagePortal, PowerShell, CLI, SDK supported

Azure Security Center Azure Monitor Storage

Application

Gateway

WAF

L7 LB

RuleSet Offered▪ CRS 2.2.9

▪ CRS 3.0

Protect from▪ SQL Injection

▪ Cross site scripting

▪ Protocol violations

▪ Generic attacks

▪ HTTP rate limiting

▪ Scanner detection

▪ Session fixation

▪ LFI/RFI

Rule Configurability▪ Change RuleSet CRS 2.2.9 or CRS

3.0

▪ Enable or Disable entire RuleGroups

▪ Disable individual rules to eliminate false positives

▪ Prevention/Detection modes

RuleSet Rule Group

Rule

WAF

▪ Enable WAF log via Monitor

▪ Realtime logs to monitor attacks

▪ WAF logs integrated with▪ Customer storage account in

JSON format

▪ Event Hub

▪ OMS Log Analytics enabling search

AzureMonitor

WAF

Azure Security Center▪ Recommendation

▪ Health alerts

▪ Application health

▪ HTTP to HTTPS redirects▪ Global and path based redirects

▪ Cipher suite control

▪ Connection draining

▪ Integration with Azure Web Apps

Open Q&A

Thank you!Session recording will be posted shortly herehttp://aka.ms/MNA