Partner Practice Enablement - Overview
Module 1 – Introduction to Microsoft Azure
Module 2 – Microsoft Azure Virtual Machines
Module 3 – Microsoft Azure Networking
Module 4 – Microsoft Azure Active Directory
Module 5 - Cloud Services and Web Sites
Module 6 - SQL Server and SharePoint
Module 7 - Management and Monitoring
Today’s topic will cover networking for Microsoft Azure Infrastructure Services. Learn how to enable, secure and load
balance network endpoints. Learn about hybrid connectivity options with Microsoft Azure Virtual Networks as well as
distributing traffic globally with Microsoft Azure Traffic Manager.
Audience: IT Professionals, Architects
Microsoft Azure Networking
Agenda
Endpoints
Virtual Networks
Point to Site
Site to Site
ExpressRoute
Traffic Manager
Endpoints
Overview: Connectivity in Azure
cloudservice.cloudapp.net  VIP
Input Endpoint
Public Virtual IP Address (VIP)
Internal IP Address
Reserved IP Addresses
Reserved IP Addresses for Cloud Service IPs
Persistent external IP address even if all virtual machines are
stopped or deleted.
Set via the Azure PowerShell Cmdlets
New-AzureReservedIP -ReservedIPName "myIP" `
-Location "West US"
New-AzureVM -ReservedIPName "myIP" ...
Port Forwarding Input Endpoints
Per Virtual Machine Public IP Addresses
Each virtual machine can be
assigned a public IP address
IP is not load balanced or
behind firewall
Preview Feature
Not available in all regions
New-AzureVMConfig -Name "vm1" ... |
Add-AzureProvisioningConfig -Windows ... |
Set-AzurePublicIP -PublicIPName "vm1ip" |
New-AzureVM ...
23.100.44.180
23.100.44.181
DEMO
Default Networking Configuration
Using the External Load Balancer
TCP Health Probe
Load Balancer Probes Every 15 seconds
Looks for ACK on socket connect
Traffic stops until ACK received (two failures)
Continues Polling
HTTP Health Probe
Health probe every 15 seconds
HTTP 200 means healthy
Traffic stops until 200 received (two failures)
Continues polling until healthy
Allows deeper inspection into the health of a
web application via custom code.
Load Balancer: Custom Health Probe
Load Balancer: Custom Health Probe
LAB
Load Balancer
Configuring the Load Balancer.pdf
Public Endpoint Access Control Lists
Tighten security with public Access Control Lists
Configuring ACLs
Rule Configuration
Specify Remote Subnet(s)
Permit or Deny and Rule Processing Order
Description for each Rule
Configuration
Portal or PowerShell
LAB
Access Control Lists
Configuring Access Control Lists.pdf
Virtual Networks
Virtual Network
Logical isolation with control over the network
Create subnets; use your private IP addresses
Support for Static IP addresses
Support for Internal Load Balancing
subnetX
subnetY
subnetZ
DNS
Server
Virtual Network
DNS options – BYO or Microsoft Azure-provided
Extend your trust boundary – VMs and Cloud Services on the same Network
Bring Your Own DNS
Specify DNS Servers in the Virtual Network
• Hosted in an Azure VM
• External
• On-Premises (with hybrid connection)
VMs are assigned specified DNS at boot.
TIP: if DNS is added after a virtual machine is
running a reboot is required for assignment.
Internal Load Balancing with Virtual Networks
On Premises
192.168.0.0/16
Virtual Network Address Space: 10.0.0.0/16
Active Directory Replication
Access on-premises resources
Access intranet over hybrid connection
http://spintranet
Hybrid
Connection
https://spintranet
Map to: 10.0.0.100
Set Internal Load Balancer IP
New-AzureInternalLoadBalancerConfig
Static IP Addresses
Use Static IP addresses to request a specific IP address be assigned to the
virtual machine.
Addresses available from assigned virtual network subnet.
Will fail if another virtual machine has already been assigned the IP.
Deploy Virtual Machines with Static IP addresses into their own subnets to
avoid conflict with other virtual machines.
Set via PowerShell (Set-AzureStaticVNetIP)
Microsoft Azure Hybrid Options
Comparing Hybrid Options
Bandwidth
Security
Management
Workloads
10 Mbps – 10 Gbps
Committed Bandwidth
Private isolated network
between provider and
Azure. Control over
routing and traffic.
Configure once, simple to
add new virtual networks
Enterprise Connectivity
Mission Critical
Disaster Recovery
Hybrid Applications
Site-to-Site
80 Mbps
No performance
commitment
Encrypted tunnel over the
Internet
Configuration of IPSEC VPN
device for each Virtual
Network Created
Hybrid Applications
Dev/Test
Secure Management
Point-to-Site
80 Mbps
No performance
commitment
Encrypted tunnel over the
Internet
Configuration with each
individual client machine.
Dev/Test
Secure Management
CAPABILITIES
ExpressRoute
Site-to-Site Virtual Network
Extend on-premises to the cloud securely (IPSec)
On-ramp for migrating services to the cloud
Use on-prem resources in Microsoft Azure (monitoring, AD, etc.)
IPSec (IKEv1 and IKEv2)
WFE
VPN
Gateway
Hardware VPN or
Windows RRAS
App
SQL
Virtual Network
DC/DNS
Regional Virtual Networks
Connect Virtual Networks Across Azure Regions or
Subscriptions
West US
East US
INTERNET
IPSEC
Multi-Site Virtual Networks
Secure IPSEC
Virtual Networks & P2S Connectivity
Connect from anywhere securely
WFE
Secure Sockets Tunneling Protocol (SSTP)
Easy to setup and use
Ideal for prototyping, dev, & demos
P2S and S2S coexist
VPN
Gateway
App
SQL
Virtual Network
DC/DNS
LAB
POINT TO SITE
Point-To-Site Network.pdf
Virtual Network Device Options
• IKE v1, v2
• AES 128, 256
• SHA1, SHA2
http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx
Creating a Virtual Network
Always plan and create the virtual network first
VMs are provisioned into a virtual network (cannot easily move an existing virtual machine to a VNET)
Virtual Network configuration file
Import/Export from the management portal – use as a template
Applies to all VNETs in the selected subscription
Create via Microsoft Azure management portal
Create via PowerShell
get-help azurevnet
Gateway redundancy and availability
Gateway roles in Microsoft Azure has 2 instances (active-passive mode)
A pair of VPN devices can be a redundant (i.e. F5 Big IP) and the RRAS service on
Windows Server is supported in a clustered configuration.
Pricing and SLA
$0.05/hour (~$37/month)
Standard data transfer rates apply
99.9% Virtual Network gateway availability
Video
Site-to-Site Virtual Networks
ExpressRoute
What is ExpressRoute?
ExpressRoute provides
organizations a private,
dedicated, high-throughput
network connection between
Microsoft Azure datacenters and
their on-premises IT environment.
ExpressRoute Providers
WAN
High Performance and Predictable
Exchange Providers
Monthly fee with included outbound data transfer.
Unlimited inbound data transfer included
Network Service Providers
Monthly dual-port fee.
Unlimited data transfer (in and out) included
SLA
Enable mission critical workloads
Security and Privacy
Direct connect to your infrastructure hosted
in Microsoft Azure by passing the public
Internet
PUBLIC
INTERNET
Direct connect to Microsoft Azure Services
such as SQL Database and Microsoft Azure
Storage
Connectivity
Provider
Infrastructure
Traffic to Microsoft Azure Virtual Networks
Traffic to Microsoft Azure Public Services
ExpressRoute Circuit
Dedicated and Private
Microsoft Azure
Compute
Azure
Edge
Public and Private peering
Azure service access
Internet bound
Cross Premises
Direct internet traffic
PUBLIC
INTERNET
Provider
Infrastructure
Cross Region Connectivity
Public Services (West US)
Public Services (East US)
Express Route
Circuit
Public Peering
Private Peering
Traffic to
on-premises
Virtual Network (West US)
Isolated VLANs
Microsoft Azure Private Network
Virtual Network (East US)
ExpressRoute and Disaster Recovery
Equinix – Silicon Valley
F5 BIG IP
Load Balancer
SQL Always On
SharePoint
WEB
SharePoint
App
SQL
Witness
SharePoint
WEB
SharePoint
App
SQL
Primary
Active
Directory
Active
Directory
ExpressRoute Circuit (1Gps)
Microsoft Azure - West US
AVSET: SPWEB
AVSET: SPAPP
SQL Replica
AVSET: AD
Sync Commit
for
Auto-Failover
Domain
Controller
DEMO
ExpressRoute
Deploying Globally with Traffic Manager
Traffic Manager – DNS Based Load Balancer
Three Load Balancing Algorithms
Performance, Round Robin, Fail Over
Map your domain name to yourservice.trafficmanager.net with CNAME
contoso.com -> contosotm.trafficmanager.net
Map cloud service URLs in global data centers to Traffic Manager Profile.
contosoeast.cloudapp.net
contosowest.cloudapp.net
Built in HTTP Health Probes for High Availability
Performance
Traffic Manager determines fastest route for the client and returns IP for
the appropriate cloud service.
Round Robin
Traffic Manager returns IPs in a round robin fashion regardless of client
location.
Failover
Traffic Manager always returns the IP address of the
primary cloud service unless it fails a health check.
X
DEMO
Microsoft Azure Traffic Manager
Summary
Endpoints
Virtual Networks
Point to Site
Site to Site
ExpressRoute
Traffic Manager
Coming Up Next . . .
Microsoft Azure Active Directory
Thank You