Partner Practice Enablement - Overview

This session is focused on networking with Microsoft Azure Infrastructure Services. Learn how to enable, secure and load balance network endpoints. Learn about hybrid connectivity options with Microsoft Azure Virtual Networks as well as distributing traffic globally with Microsoft Azure Traffic Manager.

Audience: IT Professionals, Architects

Module 1 – Introduction to Microsoft Azure

Module 2 – Microsoft Azure Virtual Machines

Module 3 – Microsoft Azure Networking

Module 4 – Microsoft Azure Active Directory

Module 5 - Cloud Services and Web Sites

Module 6 - SQL Server and SharePoint

Module 7 - Management and Monitoring

CEO & Co-Founder of Opsgility, Experts in Instructor-Led Microsoft Azure Training.

Prior to starting Opsgility Michael was a Principal Cloud Architect with a leading Solution Integrator and a fifteen year Microsoft veteran. While at Microsoft Michael's roles included being a Senior Program Manager on the Microsoft Azure Runtime team and a Senior Technical Evangelist for Microsoft Azure Infrastructure Services.

Michael was the original developer of the Microsoft Azure PowerShell Cmdlets and is a globally recognized speaker for conferences such as TechEd and BUILD.

About the Instructor

Michael WashamMicrosoft Azure Trainer

http://www.opsgility.com

Twitter: @MWashamTX

michael@Opsgility.com

Microsoft Azure Networking

Agenda

EndpointsVirtual NetworksPoint to SiteSite to SiteExpressRoute Traffic Manager

Endpoints

Overview: Connectivity in Azure

VIP: Input Endpoint

Forwards public -> private traffic per portListens on public IP Address of cloud serviceOptionally Load balanced across multiple virtual machinesSupported protocols: TCP/UDPDefault Endpoints: RDP and PowerShell

Input Endpointcloudservice.cloudapp.net VIP

Public IP Address of the cloud service. • Can change if all virtual machines are deleted or

stopped • Support for reserved IP addresses in cases where

IP should not change

Public Virtual IP Address (VIP)

Internal IP Address(s)

Internal IP Address of a virtual machine set by Microsoft Azure from its own address pool or your own address pool if using a virtual network. Can change unless deployed into a virtual network,

Internal IP Address

Reserved IP Addresses

Reserved IP Addresses for Cloud Service IPsPersistent external IP address even if all virtual machines are stopped or deleted.

Set via the Azure PowerShell Cmdlets

New-AzureReservedIP -ReservedIPName "myIP" `

-Location "West US"

New-AzureVM -ReservedIPName "myIP" ...

IIS-VM1 IIS-VM2

contososvc.cloudapp.net137.135.67.36 = myIP

Port Forwarding Input Endpoints

PORT 3389PORT 6510

PORT 6511

Single Public IP Per Cloud ServiceMultiple VMs cannot share the same public port

Cloud ServiceEndpoint VM1Public Port: 6510Local Port: 3389Protocol: TCPName: Remote Desktop

PORT 3389Endpoint VM2Public Port: 6511Local Port: 3389Protocol: TCPName: Remote Desktop

Per Virtual Machine Public IP Addresses

Each virtual machine can be assigned a public IP address

IP is not load balanced or behind firewall

Not available in all regions

IIS-VM1 IIS-VM2

TCP EndpointPublic Port 5001Private Port 3389

TCP EndpointPublic Port 5002Private Port 3389

contososvc.cloudapp.net

23.100.44.180 23.100.44.181

New-AzureVMConfig -Name "vm1" ... | Add-AzureProvisioningConfig -Windows ... | Set-AzurePublicIP -PublicIPName "vm1ip" | New-AzureVM ...

DEMODefault Networking Configuration

Using the External Load Balancer

PORT 80

PORT 80

Single Public IP Per Cloud ServiceMultiple VMs can share the same public port

Cloud App / Hosted Service

Endpoint VM1Public Port: 80Local Port: 80Protocol: TCPName: HTTPLBSetName: LBHTTP

PORT 80

Endpoint VM2Public Port: 80Local Port: 80Protocol: TCPName: HTTPLBSetName: LBHTTP

Cloud Service VIP

IIS-VM1

IIS-VM2

IIS-VM3

contososvc.cloudapp.net

Default Probe Behavior

Load Balancer Probes Every 15 seconds

Looks for ACK on socket connect

Traffic stops until ACK received (two failures)

Continues Polling

PORT 80

TCP Health Probe

IIS-VM1

IIS-VM2

IIS-VM3

Health probe every 15 seconds

HTTP 200 means healthy

Traffic stops until 200 received (two failures)

Continues polling until healthy

Allows deeper inspection into the health of a web application via custom code.

PORT 80

Probe: http://IIS-VM1/heathcheck.aspxProbe: http://IIS-VM2/heathcheck.aspxProbe: http://IIS-VM3/heathcheck.aspx

HTTP Health Probe

Load Balancer: Custom Health Probe

Load Balancer: Custom Health Probe

LAB 3Load Balancer

Public Endpoint Access Control ListsTighten security with public Access Control Lists

Configuring ACLs

Rule Configuration

Specify Remote Subnet(s)

Permit or Deny and Rule Processing Order

Description for each Rule

Configuration

Portal or PowerShell

LAB 4Access Control Lists

Virtual Networks

Virtual NetworkLogical isolation with control over the network

Create subnets; use your private IP addresses

Support for Static IP addresses

Support for Internal Load Balancing

DNS options – BYO or Microsoft Azure-provided

Extend your trust boundary – VMs and Cloud Services on the same Network

Microsoft Azure

Virtual Network

subnetX

subnetY

subnetZ

DNS Server

Bring Your Own DNSSpecify DNS Servers in the Virtual Network• Hosted in an Azure VM

• External

• On-Premises (with hybrid connection)

VMs are assigned specified DNS at boot. TIP: if DNS is added after a virtual machine is running a reboot is required for assignment.

Virtual NetworkAddress Space: 10.0.0.0/16DNS: AD-01 10.0.0.4DNS: AD-02 10.0.0.5

IIS-VM-01Subnet Web

10.0.1.4

IIS-VM-02Subnet Web

10.0.1.5

Cloud Service

AD-VM-01Subnet AD

10.0.0.4

AD-VM-02Subnet AD

10.0.0.5

Cloud Service

Internal Load Balancing with Virtual Networks

Virtual Network Address Space: 10.0.0.0/16

AD-VM-01Subnet AD

10.0.4.4

SP-WFW-01Subnet WEB

10.0.1.4

Cloud Service

SP-WFE-02Subnet WEB

10.0.1.5

AV Set: ADAV Set: SPWFE

SP-APP-01Subnet APPS

10.0.2.4

SP-APP-02Subnet APPS

10.0.2.5

AV Set: SPAPP

SQL-AO-01Subnet SQL

10.0.3.5

SQLWITNESSSubnet SQL

10.0.3.6

SQL-AO-01Subnet SQL

10.0.3.4

AV Set: SQL

SP-WFE-03Subnet WEB

10.0.1.6

SP-APP-02Subnet APPS

10.0.2.6

AD-DC-01192.168.0.1

AD-DC-02192.168.0.2

On Premises192.168.0.0/16

AD-VM-02Subnet AD

10.0.4.5

OtherServers

Active Directory ReplicationAccess on-premises resources Access intranet over hybrid connection

https://spintranet Map to: 10.0.0.100

Set Internal Load Balancer IPNew-AzureInternalLoadBalancerConfig

http://spintranetHybrid

Connection

Static IP AddressesUse Static IP addresses to request a specific IP address be assigned to the virtual machine.

Addresses available from assigned virtual network subnet.

Will fail if another virtual machine has already been assigned the IP.

Deploy Virtual Machines with Static IP addresses into their own subnets to avoid conflict with other virtual machines.

Set via PowerShell (Set-AzureStaticVNetIP)

Microsoft Azure Hybrid Options

Cloud Customer Description

Secure point-to-site connectivity

Virtual Network (Point-to-Site)

• 80 Mbps• Configure up to 254 clients to

connect per virtual network.

Secure site-to-site VPN connectivityVirtual Network (Site-to-Site)

• 80 Mbps• Connect on-premises network

to virtual network using IPSEC over the Internet

Private site-to-site connectivity

ExpressRoute

• 10 Mbps – 10 Gbps• Direct connectivity through

Exchange Provider or Network Service Provider to Azure.

Comparing Hybrid Options

Bandwidth Security Management Workloads

ExpressRoute10 Mbps – 10 GbpsCommitted Bandwidth

Private isolated network between provider and Azure. Control over routing and traffic.

Configure once, simple to add new virtual networks

Enterprise ConnectivityMission CriticalDisaster RecoveryHybrid Applications

Site-to-Site80 MbpsNo performance commitment

Encrypted tunnel over the Internet

Configuration of IPSEC VPN device for each Virtual Network Created

Hybrid ApplicationsDev/TestSecure Management

Point-to-Site 80 MbpsNo performance commitment

Encrypted tunnel over the Internet

Configuration with each individual client machine.

Dev/TestSecure Management

CAPA

BILI

TIES

On-premises

Your datacenter

Individual computers behind corporate firewall

Point-to-Site VPN

Hardware VPN or Windows RRAS

Microsoft Azure

Virtual NetworkVPN Gateway

WFE App

VPN Gateway

Remote workers

Site-to-SiteVPN

Extend on-premises to the cloud securely (IPSec)

On-ramp for migrating services to the cloud

Use on-prem resources in Microsoft Azure (monitoring, AD, etc.)

IPSec (IKEv1 and IKEv2)

SQL DC/DNS

Site-to-Site Virtual Network

Regional Virtual NetworksConnect Virtual Networks Across Azure Regions or Subscriptions

Virtual NetworkGateway IP: 137.135.8.71Address Space: 10.0.4.0/24Local Network: 10.0.5.0/24

IIS-VM-01Subnet Web

10.0.1.4

IIS-VM-02Subnet Web

10.0.1.5

Cloud Service

IIS-VM-01Subnet Web

10.0.1.4

IIS-VM-02Subnet Web

10.0.1.5

Cloud Service

Virtual NetworkGateway IP: 23.100.36.231Address Space: 10.0.5.0/24Local Network: 10.0.4.0/24

West US East US

INTERNET IPSEC

IP: 23.100.36.231

IP: 137.135.8.71

Multi-Site Virtual Networks

SITE #1 Gateway IP: 96.226.123.9Address Space: 192.168.1.0/24

SITE #2Gateway IP: 96.226.123.51Address Space: 192.168.2.0/24

SITE #3Gateway IP: 96.226.123.92Address Space: 192.168.3.0/24

Virtual NetworkGateway IP: 137.135.67.12Address Space: 10.0.2.0/24Local Networks10.0.1.0/24192.168.0.0

Virtual NetworkGateway IP: 137.135.8.71Address Space: 10.0.1.0/24Local Networks10.0.2.0/24192.168.0.0/16

Secure IPSEC

Virtual Networks & P2S Connectivity

Connect from anywhere securely

Secure Sockets Tunneling Protocol (SSTP)

Easy to setup and use

Ideal for prototyping, dev, & demos

P2S and S2S coexist

Microsoft Azure

Virtual NetworkVPN Gateway

WFE App

VPN Gateway

SQL DC/DNS

LAB 5POINT TO SITE

Virtual Network Device Options

Generic VPN devices must support:• IKE v1, v2• AES 128, 256• SHA1, SHA2• http

://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx

Creating a Virtual NetworkAlways plan and create the virtual network firstVMs are provisioned into a virtual network (cannot easily move an existing virtual machine to a VNET)

Virtual Network configuration fileImport/Export from the management portal – use as a templateApplies to all VNETs in the selected subscription

Create via Microsoft Azure management portal

Create via PowerShellget-help azurevnet

Gateway redundancy and availability

Gateway roles in Microsoft Azure has 2 instances (active-passive mode)

A pair of VPN devices can be a redundant (i.e. F5 Big IP) and the RRAS service on Windows Server is supported in a clustered configuration.

Pricing and SLA

$0.05/hour (~$37/month)

Standard data transfer rates apply

99.9% Virtual Network gateway availability

VideoSite-to-Site Virtual Networks

ExpressRoute

High throughput

Security

Lower cost

Predictable performance

What is ExpressRoute?

ExpressRoute provides organizations a private, dedicated, high-throughput network connection between Microsoft Azure datacenters and their on-premises IT environment.

Exchange Provider Network Service Provider scenario

ExpressRoute Providers

Customer site ExpressRoutepartner location

Customer site 1

Customer site 2

Customer site 3

WAN

Network Service Providers

High Performance and Predictable

Exchange ProvidersMonthly fee with included outbound data transfer.Unlimited inbound data transfer included

200 Mbps+

3TB/month

500 Mbps+

7.5TB /month

1 Gbps+

15TB /month

10 Gbps+

250TB /month

Monthly dual-port fee.Unlimited data transfer (in and out) included

10 Mbps 50 Mbps 50 Mbps

100 Mbps 500 Mbps 1 Gbps

99.9% SLA

DedicatedCircuit uptime

Enable mission critical workloads

Dev/test lab BI/big data

Media Productivity apps

Storage, backup, and recovery

Hybrid apps

Security and PrivacyDirect connect to your infrastructure hosted in Microsoft Azure by passing the public Internet

Direct connect to Microsoft Azure Services such as SQL Database and Microsoft Azure Storage

Azure Edge

Connectivity Provider

InfrastructureCustomer’s network

ExpressRoute CircuitDedicated and Private

Traffic to Microsoft Azure Public Services

Traffic to Microsoft Azure Virtual Networks

Microsoft Azure Compute

Microsoft AzurePublic services

PUBLIC INTERNET

Public and Private peering

Contoso (10.0.0.0/16)

Exchange

AD/DNS

IIS ServersSQL Farm Proxy/Internet edge

Monitoring

Provider Infrastructure Microsoft

Azure

Storage SQL Websites

Direct internet trafficCross PremisesInternet boundAzure service access

Contoso virtual networks/Vms

Azure public services

AD/DNS

PUBLIC INTERNET

Public Services (West US)

Virtual Network (West US)

Public Peering

Private Peering

Express RouteCircuit

Isolated VLANsMicrosoft Azure Private Network

Routers

Virtual Network (East US)

Public Services (East US)

Traffic to on-premises

Cross Region Connectivity

ExpressRoute and Disaster Recovery

Active DirectorySharePoint

WEB

Equinix – Silicon Valley

Active Directory

SharePoint App

F5 BIG IP Load Balancer

SharePoint App

SQL Witness

SQL Primary

SharePoint WEB

SQL Always On

AVSET: SPWEB AVSET: SPAPP SQL Replica AVSET: AD

ExpressRoute Circuit (1Gps)

Sync Commit for Auto-Failover

Domain Controller

Microsoft Azure - West US

Deploying Globally with Traffic Manager

Traffic Manager – DNS Based Load BalancerThree Load Balancing Algorithms

Performance, Round Robin, Fail Over

Map your domain name to yourservice.trafficmanager.net with CNAME

contoso.com -> contosotm.trafficmanager.net

Map cloud service URLs in global data centers to Traffic Manager Profile.

contosoeast.cloudapp.netcontosowest.cloudapp.net

Built in HTTP Health Probes for High Availability

PerformanceTraffic Manager determines fastest route for the client and returns IP for the appropriate cloud service.

IIS-VM-01 IIS-VM-02

Cloud Service

IIS-VM-01 IIS-VM-02

Cloud Service

West US East US

contosowest.cloudapp.net

contosoeast.cloudapp.net

contosotm.trafficmanager.net

Request for contoso.comLocation Portland, OR

Response with IP for contosowest.cloudapp.net

Health Probes

Traffic Manager Calculates Hops…

Round RobinTraffic Manager returns IPs in a round robin fashion regardless of client location.

IIS-VM-01 IIS-VM-02

Cloud Service

IIS-VM-01 IIS-VM-02

Cloud Service

West US East US

contosowest.cloudapp.net

contosoeast.cloudapp.net

contosotm.trafficmanager.net

Request for contoso.comLocation Portland, OR

Response with IP for contosoeast.cloudapp.net

Health Probes

Traffic Manager Returns the Next IPCould be West or East

FailoverTraffic Manager always returns the IP address of the primary cloud service unless it fails a health check.

IIS-VM-01 IIS-VM-02

Cloud Service

IIS-VM-01 IIS-VM-02

Cloud Service

West US East US

contosowest.cloudapp.net

contosoeast.cloudapp.net

contosotm.trafficmanager.net

Request for contoso.comALL Requests

Response with IP for contosowest.cloudapp.net

Health Probes

X

ALL RequestsRequest for contoso.com

Response with IP for contosoeast.cloudapp.net

DEMOMicrosoft Azure Traffic Manager

Summary

EndpointsVirtual NetworksPoint to SiteSite to SiteExpressRouteTraffic Manager

Coming Up Next . . .Microsoft Azure Active Directory

Thank You