Microsoft Azure: Infrastructure as a Service (IaaS) Module

Microsoft Azure: Infrastructure as a Service (IaaS) Module

Microsoft Azure: Infrastructure as a Service (IaaS) Module 4: IaaS Virtual Networking Azure Networking Microsoft Azure Virtual Networks Your virtual branch office/data center in the cloud o Allows customers to extend their Enterprise Networks into Microsoft Azure o Networking on-ramp for migrating existing apps and services to Microsoft Azure o Allows customers to run hybrid apps that span the cloud and their on-premises setup A protected private virtual network in the cloud o Allows customers to set up secure private IPv4 networks fully contained within Microsoft Azure

o IP address persistence capability o Inter-service (Dynamic IP address) DIP-to-DIP communication ~ PaaS/IaaS communication Virtual Network Features Customer-managed private virtual networks within Microsoft Azure o Bring your own IPv4 addresses o Provides control over placement of Microsoft Azure VMs and roles within the network o Stable IPv4 addresses for VMs Hosted VPN Gateway that enables site-to-site connectivity o Automated provisioning and management o Support existing on-premises VPN devices Use on-premises DNS servers for name resolution or Azure DNS o Allows you to use your own on-premises DNS servers for name resolution o Allows VMs running in Microsoft Azure to be joined to corporate domains running on-premises (use your on-premises Active Directory)

Can provide internal static IP addresses (via PowerShell) [DIP] Can provide public reserved IP addresses (via PowerShell) [VIP] Multiple virtual IP addresses per VM [ILPIP] How to Setup Virtual Networks Portal o Wizard to create, and update virtual networks o Manage Gateway Lifecycle APIs and Scripting o REST APIs o PowerShell cmdlets o Network Configuration Operations on Network Configuration o Set Network Configuration o Get Network Configuration Azure Resource Manager (ARM) scripting/deployment

Configuring Virtual Networks Microsoft Azure Portal (API) Network Admin Network configuratio n IT Admin Deployment package CorpOffice ContosoVNet ContosoCorpOffi ce (10.0.0.0/16)

FEndSubnet (10.1.1.0/24) Cisco ASA GW 131.57.23.45 DNS2 DNS1 ADSubnet (10.1.2.0/24) DNS Server GWSubnet (10.1.5.0/24) GW IP

10.0.0.21 10.0.0.20 (10.1.0.0/16) 65.57.23.4 5 (10.1.2.101) SQLSubnet (10.1.3.0/24) BESubnet (10.1.4.0/24) Demonstration: Deploying a Virtual Network Module 4: IaaS Virtual Networking

Azure Connectivity Glossary for Network basic components VIP (Virtual IP address) o A public IP address belongs to the a machine in a virtual network. It also serves as an Azure Load Balancer which tells how network traffic should be directed before being routed to the VM. o It is possible to reserve an IP from the Microsoft pool DIP (Dynamic IP address): o An internal IP assigned by Microsoft Azure DHCP to the VM o Associated automatically with the VM when created o It is released when VM is deleted or deallocated (default) o It is possible to configure and static IP address o You can have more than one DIP per VM (Multi-NIC support) ILPIP (Instance Level Public IP) o A ILPIP is associated with the VM in addition to the VIP. Traffic to the ILPIP goes directly to the VM and is not routed through the Azure Load Balancer

Glossary for Network basic components (cont) Azure Load Balancer (External LB) o All inbound traffic to the VIP is routed through the ELB which firewalls and distributes it. Allows only inbound TCP or UDP traffic. This is a software load balancer (SLB) Internal Load Balancer (ILB): o It is configured to port-forward or load-balance traffic inside a VNET to different VMs. Inbound Security Rule o Associated with a network security group. Associates a VIP/DIP + port combination on a VM with a port on either the Azure Load Balancer for public-facing traffic or the Internal Load Balancer for traffic inside a VNET Microsoft Azure Provided DNS Within a Virtual Network TestVM1 10.1.1.1 Who is

TestVM2? TestVM2 Who is TestVM2? Who is TestVM2? Overview: Basic Connectivity in Microsoft Azure Optional DNS Namespace & public IP (yourDNSname.region.cloudapp.azure.com) LB VNet in Resource Group Access via internal IP address same VNet

Overview: Existing Connectivity in Microsoft Azure DNS Address Optional load balanced endpoint. Stable VIP per service deployment. You can choose not to have a VIP Single port per inbound security rule with protocols HTTP, HTTPS, TCP Each individual VM can reserve a separate public IP Internal address IP Addresses VIP: DNS Address LB

Instance-to-instance communication in same VNet Supported Protocols: TCP Port ranges supported Communication boundary = Deployment boundary Name Resolution Microsoft Azure-provided DNS service for VMs in the Internal IP Addresses same virtual network/resource group Dnsname.region.cloudapp.azure.com VIP Internal IP Addresses Open by default with VMs (Firewalls are not)

Allows all IP traffic to flow Open ICMPv4 port to ping Can be used across VMs within a single virtual network Resource Group\Single Vnet Virtual Network Subnet 1 Subnet 2 IP Traffic Virtual Machine Inbound Security Rules VMs can automatically communicate with other VMs in the same virtual network Inbound security rules are required to direct Internet or other virtual networks inbound network traffic to a VM In the Azure Management Portal, endpoints are automatically created for: o Remote Desktop

Each inbound security rule has a source and destination port range: o Source port range: used by the Azure to listen for incoming traffic to the VM o Destination port range: used by the VM to listen for incoming traffic to an application or service running on the VM ACLs on an endpoint can restrict traffic based upon source IP address range o Inbound or outbound security rules can allow or deny traffic from specific IPs and known IP address ranges o Rules are evaluated based on priority number. The lower the number, the higher the priority o Inbound and Outbound Security rules are part of a Network Security group Microsoft Azure External Connectivity Options ENTERPRISE CLOUD Data Synchronization Azure Data Factory Application Layer Connectivity and Messaging

Service Bus Secure Machine-toMachine Network Connectivity Point-to-Site Secure Site-to-Site Network Connectivity Microsoft Azure Virtual Network Private Site-to-Site Connectivity Express Route Point-to-Site The Corp. HQ Virtual Network SQL Server

WA Web Role VPN Tunnel Client 1 Certificate VPN Client Package Site-to-Site Connectivity Extend your on-premises to the cloud securely On-ramp for migrating services to the cloud Use your on-premises resources in Azure

(monitoring, AD, ) Site-to-Site VPN On-premises Hardware VPN or Windows RRAS Your datacenter Windows Azure DNS Server VPN VPN

Gateway Virtual Network VPN Gateways The Virtual Branch Office The Branch Office The Corp. HQ SQL Servers IIS Servers AD / DNS Exchange Server S2S VPN Device

unnel t N P S2S V S2S V P N tu nnel S2S VPN Device The Virtual Network in Microsoft Azure BRK Gateway Multi-Site VPN Create a multi-site VPN in order to connect multiple on-premises sites to a single virtual network gateway

Requires dynamic routing configured on the VNet gateway o Can change the gateway type without needing to rebuild the virtual network to accommodate multi- site o Need to ensure on-premises VPN gateway supports dynamic routing VPN. Add configuration settings to the network configuration file Changes to the VNet wont be available through the Management Portal o Can use it for everything else except making configuration changes to this particular virtual network. Example: Contosos Deployment Contoso Production VNET in Microsoft Azure (10.1.0.0/16) The Corp. HQ SQL Farm (10.0.0.0/16) 10.1.2.0/2

4 10.1.3.0/2 4 IIS Servers 131.57.23.120 10.0.0.10 10.0.0.11 AD / DNS 65.52.249.22 10.1.0.4 10.1.1.4 S2S VPN tunnels S2S VPN Device Exchange Server

Contoso Test in Microsoft Azure (10.2.0.0/16) BRK Gateway 10.2.2.0/2 4 Multiple S2S VPNs allowed to a single VNet 10.2.3.0/2 4 VNet to VNet Connectivity Cross region geo-redundancy and geo-presence o You can set up your own geo-replication or synchronization with secure connectivity without going over internet-facing endpoints

o With Azure Load Balancer and Microsoft or third party clustering technologies, you can setup highly available workloads with geo-redundancy across multiple Azure regions Regional multi-tier applications with strong isolation boundary o Within the same region, you can setup multi-tier applications with multiple virtual networks connected together with strong isolation and secure inter-tier communication Cross subscription, inter-organization communication in Azure o Connect workloads from different subscriptions together securely between virtual networks o Enable cross organization communication with secure VPN technology within Azure. What is ExpressRoute? ExpressRoute provides organizations a private, dedicated, high-throughput network connection between

Windows Azure datacenters and their on-premises IT environment. Predictable performance Security High throughput Lower cost Public, Private and Microsoft peering Virtual Network and ExpressRoute Scenario 1: IPSec VPN over internet Public internet Scenario 2: Exchange Provider

Scenario 3: Network Service Provider Public internet Customer site 3 Windows Azure Windows Azure Customer site 2 WAN Customer DC Windows Azure Connect via an encrypted link over public internet

Virtual Network - Compute only. Customer site ExpressRoute partner location Peer at an ExpressRoute location, an Exchange Provider facility Customer site 1 Public internet Connection from a WAN provided by Network Service Provider. Azure becomes another site on the customers WAN network.

ExpressRoute - Provides customer choice and include access to compute, storage, and other Azure services. VPN GW S2S and ExpressRoute coexistence VPN gateway allows you to have Site-to-Site (S2S) VPN connectivity to a Virtual Network that also has a gateway connected to an ExpressRoute circuit. This enables new connectivity scenarios: o You can now use S2S VPN tunnel as a backup for your ExpressRoute connection. o You can connect branch offices that arent part of your WAN to your Azure virtual networks that are also connected via ExpressRoute. o You can have Point-to-Site connections to the same Virtual Network that is also connected via ExpressRoute enabling dev/test and mobile worker scenarios. Module 4: IaaS Virtual Networking Networking Scenarios

Virtual Network Scenarios Hybrid Public/Private Cloud o Enterprise app in Microsoft Azure requiring connectivity to on-premises resources Enterprise Identity and Access Control o Manage identity and access control with on-premises resources (on-premises Active Directory) Monitoring and Management o Remote monitoring and troubleshooting of resources running in Microsoft Azure (SCOM) Advanced Connectivity Requirements o Cloud deployments requiring persistent IP addresses and direct connectivity across services Application Migration The Corp. HQ WA Web Role SQL Farm

IIS Servers VPN Tunnel App Servers AD / DNS SharePoint in Microsoft Azure Microsoft Azure Virtual Network 10.8.8. x DC DNS Local DNS Use Accounts

On Premises DC DNS SharePoint FrontEnd IaaS VM Server Account SQLVM Role Persistent LB SharePoint Front-End IaaS VM Search and Index

SQL Persistent Desk IaaS VM IaaS VM Internet Domain Joined to OnPremises Network SQL Mirroring IaaS VM Module 4: IaaS Virtual Networking High Availability Azure Load Balancer

Load Balancer Virtual Network VM VM VM VM Load Balancer: Default Health Probe for Load Balanced Sets Load Balancer Microsoft Azure Agent Role Status

Customer Application VM Microsoft Azure Agent Role Status Customer Application VM Load Balancer: Custom Health Probe for Load Balanced Sets Load Balancer

Microsoft Azure Agent Role Status Customer Application VM Microsoft Azure Agent Role Status Customer Application VM Azure Internal Load Balancer - ILB Provides load balancing for machines inside of a Virtual network o Within a virtual network, from virtual machines in a virtual network to a set of virtual machines that

reside within the same virtual network. o For a cross-premises virtual network, from on-premises computers to a set of virtual machines that reside within the same virtual network o Between virtual machines in a virtual network Using ILB o Internet-facing, multi-tier applications in which the back-end tiers are not Internet-facing but require load balancing for traffic from the Internet-facing tier. o Load balancing for line-of-business (LOB) applications hosted in Azure without requiring additional load balancer hardware or software. ILB Setup o PowerShell Only Add-AzureRMLoadBalancerFrontendIPConfig

Add-AzureRMLoadBalancerBackendAddressPoolConfig ILB Scenario Intranet app running on Azure IaaS Cross-premises Azure virtual network Load balance not internet facing machines Internet IP Addresses and Load Balancing Public IP Addresses in Azure Internet Can be used for instance (VM) level access or load balancing Instance-level IP (ILPIP) 151.2.3.4 (VIP) Internet IP assigned exclusively to single VM

Entire port range accessible by default Primarily for targeting a specific VM Load balanced IP (VIP) LB 131.3.3.3 (Instance-level IP) 131.3.4.4 (Instance-level IP) Internet IP load balanced among one or more VM instances Allows port redirection Primarily for load balanced, highly available, or auto-scale scenarios VM1 VM2

IP1 IP2 Microsoft Azure Azure DNS Services Azure DNS Previe w Traffic Manager DNS Host your DNS domains in Azure Integrate your Web and Domain hosting Globally route user traffic with flexible policies Enable best-of-class end to end user experience

Traffic Manager Traffic Management Policies Latency Direct to closest service Round Robin Distribute across all services Failover Direct to backup if primary fails Nested Flexible multi-level policies www.contoso.com Module 04: IaaS Virtual Networking Other Features Network Security Groups (NSG) Define access control rules for inbound/outbound traffic to a VM or group of VMs in a subnet NSG rules can be changed at any time and apply to all instances

NSG can be associated with: A single VM in a VNet A subnet in a VNet A VM and a Subnet together for added security Rules are processed in order of priority Rules are based on 5-tuple (source/dest IP/port, protocol) Network Security Groups (continued) Two different ACL groups, one for individual VM, one for Subnet Rules are applied to inbound traffic for subnet followed by rules for the VM Outbound rules are applied for VM first and then followed by subnet rules Example PowerShell:

New-AzureNetworkSecurityGroup -Name "MyVNetSG" -Location uswest -Label "Security group for my Vnet in West US Get-AzureNetworkSecurityGroup -Name "MyVNetSG" | SetAzureNetworkSecurityRule -Name WEB -Type Inbound -Priority 100 -Action Allow -SourceAddressPrefix 'INTERNET' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' Protocol TCP Multi-NIC Support Using multiple NICs on your VM allows you to manage network traffic better (max ~ 8) Isolate traffic between front-end NICs and backend NICs Cannot add or remove NICs once VM is created Can have multiple NICs on any VM except for Basic SKU VMs must be in an Azure Virtual Network Additional NICs cannot be used in a load balanced set On-premise VMs with multiple NICs

migrated to Azure wont work VM must be built in Azure Forced Tunneling Force internet-bound traffic from a Cloud application back through on-premises network via Site-toSite VPN/ExpressRoute Allows scenario for inspection and auditing of traffic Can create a routing table to create a default route, then associate routing table to VNet subnets Source IP Affinity Azure Load Balancer new distribution mode = Source IP Affinity Load balance traffic based on 2 or 3 tuple modes

Scenarios Configure load balancer distribution to an endpoint on a VM via PowerShell/Service Management API Configure load balancer distribution for your Load-Balanced Endpoint Sets via PowerShell/Service Management API. Configure load balancer distribution for your Web/Worker roles via the Service model (.csdef file) User Defined Routing By default, Azure provides a route table based on your virtual network settings Need for custom routing may include Use of a virtual appliance in your Azure environment, ex. Firewall Implementing a virtual NAT appliance to control traffic between your Azure virtual network and the Internet BGP Route if you are using ExpressRoute, you can enable BGP to propagate routes from your on-premises network to Azure Ex. - All traffic directed to the mid-tier and backed subnets initiated from the front end subnet goes through a virtual firewall appliance Module 4: IaaS Virtual Networking

Virtual Network Appliances Virtual Network Appliances Overview o VMs that perform specific network functions o Focus: Security (Firewall, IDS , IPS), Router/VPN, ADC (Application Delivery Controller), WAN Optimization o Typically Linux or FreeBSD-based platforms o 1st and 3rd Party Appliances ExpressRoute / Virtual Networks make Azure part of customers network driving demand for security, compliance, performance, scalability Scenarios o IT Policy & Compliance Consistency between on premises & Azure o Supplement/complement Azure capabilities

Azure Marketplace o Available through Azure Certified Program to ensure quality and simplify deployment o You can also bring your own appliance and license 3rd Party Appliances 1st Party Appliances L7 Load Balancer Cookie Session Affinity SSL Offload

Future Opportunities WAN Accelerator WAF Load Balancer Intrusion Prevention Bring Your Own Appliance Azure Application Gateway Azure-managed, first-party virtual appliances HTTP routing based on applevel policies: o Cookie based session affinity o URL hash

o Weight (load) SSL termination and caching o Centralize certificate management o Scalable backend provisioning Customer VMs VM Web1 VM Web2 VM Web3 Load Balancing Cookie Affinity

App Gateway SSL Offload HTTP & HTTPS Application Gateway LB Hierarchy Azure Service What Example Internet Traffic Manager SLB Application Gateway

Cross-region redirection & availability http://news.com apac.news.com emea.news.com us.news.com In-region scalability & availability emea.news.com URL/contentbased routing & load balancing news.com/topnews news.com/sports news.com/images

AppGw1 AppGw2 AppGw2 Azure Traffic Manager (DNS Load Balancer) SLB (L4 Load Balancer) SLB (L4 Load Balancer) Application Gateway Application Gateway Application Gateway VM VMs

VM VM Application Gateway VM VM VM VM Web Servers Region 1 Region 2

VM

Recently Viewed Presentations

  • 16 April, 2013 - St Laurence School

    16 April, 2013 - St Laurence School

    Read, read, read the set texts: Macbeth, Jekyll and Hyde, The Woman in Black or An Inspector Calls, the poems from the green poetry anthology. Watch Mr Chadwick's green poetry anthology revision videos on St Laurence Media Stream - accessible...
  • 2019 Drug Task Force Compliance Training

    2019 Drug Task Force Compliance Training

    Insurance premiums are often paid the month prior to the coverage period. Help DPS in identifying the period for which the insurance is being paid. Unemployment Comp is typically paid on the first $12,000 of wages for the calendar year...
  • Unconscious priming Klinger & Greenwald, 1995

    Unconscious priming Klinger & Greenwald, 1995

    Self Psychology Theory: Heinz Kohut believed that all children need for someone to affirm and admire their achievements Typically a parent (mother), but could be someone else Mirroring refers to the act of responding to child's expressions accurately. It includes...
  • Rigor & Mathematical Practices in Grades 3-5 February

    Rigor & Mathematical Practices in Grades 3-5 February

    RIGOR IN GRADES 3-5Thank You for Your Feedback!. 1min. Speaker's Notes: Thank you for your feedback! I want to talk through some trends for the glows and grows and let you know what I'm doing for the grows within my...
  • Teamwork - NASC

    Teamwork - NASC

    Dog (loyal): obey his master without any hesitation Cow ( harmless): work in their own pace, don't hurt others but much chances of being hurt by others Team Roles Edward De Bono's Six thinking hats (1985) (the father of lateral...
  • Peer recovery specialist

    Peer recovery specialist

    Standards EXPERIENCE REQUIRED TO TEST AS A PEER SPECIALIST: 500 hours of supervised work experience under a certified or licensed behavioral healthcare professional is the requirement for the Peer Recovery credential.
  • Sample Title Slide Standard Template - OWASP

    Sample Title Slide Standard Template - OWASP

    Introduction. Forcing muscle growth is a long process which requires high intensity weight training and high mental concentration. While the ultimate goal is often clear, one of the greatest mistakes bodybuilders consistently make is to overlook the importance of tracking...
  • How to Complete a Graduation Petition

    How to Complete a Graduation Petition

    Complete at least 30 units -or - One semester before completing: Associate Degree (AA, AS, AS-T, AA-T) Certification (CSU GE / IGETC) Certificate of Achievement or Proficiency