1. 5/5/ :05 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Azure VNet for Containers
5/5/ :05 PM
P4045
Azure VNet for Containers
Narayan Annamalai, Mario Lopez
Program Managers, Azure Networking
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. The Big (Network) Picture
Build 2012
5/5/ :05 PM
Virtual Network
“Bring Your Own Network”
Segment with subnets and security groups
Control traffic flow with User Defined Routes
The Big (Network) Picture
Azure
Virtual Network
Users
Internet
Front-End Access
Dynamic/Reserved Public IP addresses
Direct VM access, ACLs for security
Load balancing
DNS services: hosting, traffic management
DDoS protection
Backend Connectivity
Point-to-site for dev / test
VPN Gateways for secure site- to-site connectivity
ExpressRoute for private enterprise grade connectivity
Backend Connectivity
ExpressRoute
VPN Gateways
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Azure SDN Momentum: Rich and Scalable VNets
5/5/ :05 PM
Azure SDN Momentum: Rich and Scalable VNets
2013:
Virtual networks
Public load balancing
Managed NAT
2014:
Internal load balancing
VPN based on premise connectivity
2015:
Network security groups
Service chaining
Private peering
Multi-NIC
Reserved IP
Instance IP
2016+:
Container support
Application gateway
Accelerated networking
Virtual network peering
IPv6
Mac persistence
Netwatcher
Multiple IPs per NIC
1.8m virtual network interfaces
879k Network Security Groups
23k virtual network peerings
42.1m public IP address in use
28.8m reserved IP
Over 100k TB traffic in/out per week
4.9k remote connectivity circuits
16.8 m hours/week of VPN gateway
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Azure VNet for Containers One SDN
5/5/ :05 PM
Azure VNet for Containers One SDN
Vnet: One SDN for VMs & Containers
Consistent way to specify policies
One IP space, Containers as first class citizens on the network
Connectivity between VMs and containers, Cross connectivity with on premises
Rich feature set: Service chaining, ACLs, IPAM, Load balancing, DNS, PaaS Services
Optimized for Cloud (no double overlays)
Accelerated networking/ FPGA works/ existing offloads work
No double encap
VNet
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. Container networking so far
5/5/ :05 PM
Container networking so far
Bridge/NAT Mode
Orchestrator Default
Connectivity within containers in same Host
Connectivity outside the host requires NAT
Isolated Networks
NAT Bridge
Source
Destination
...
Source
Destination
...
Overlay network Mode
Connectivity with containers outside the same host
Double encapsulation: performance degradation
Two networking stacks
VXLAN Tunnel
VNet Header
Data
Overlay Header
Data
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Azure Container Service + SDN
5/5/2018
Azure Container Service + SDN
Containers
Orchestrator
ACS—deploys and manages the infrastructure to run containers
ACS—creates clusters with chosen orchestrators
Orchestrators can now plug in to Azure SDN stack with a single click
ACS engine
Azure VNet
Infrastructure
© 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Public Preview Open SDN solution for containers in Azure
5/5/ :05 PM
Public Preview
Azure
Open SDN solution for containers in Azure
Connects containers to Azure network
One SDN, connectivity, security, network and infrastructure management
Available with Azure Container Service (ACS)
Azure SDN Stack
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Azure VNet for containers
5/5/ :05 PM
Azure VNet for containers
Connected to entire network (container, VM, on-premises)
Native support for containers on Azure’s virtual network - all offloads supported with native performance
Unified network policies for all workloads
Azure Network
Backend connectivity
ExpressRoute VPN Gateways
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Containers in Azure VNet
5/5/ :05 PM
Containers in Azure VNet
Full connectivity within VNet. To other Containers, VMs, peered VNets
Granular network control that scales
Load balancing, Direct Internet access
Connect to on-premises over Express Route, secure VPN gateway
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Azure VNet for containers—ecosystem
5/5/2018
Azure VNet for containers—ecosystem
For CNI (Kubernetes, DC/OS) and
CNM (Docker Engine)
Orchestrator/ Plugin
For Linux and Windows
Platform
For Azure and Azure Stack for on premises
Cloud
Container orchestrator Cloud network
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Azure VNet for Containers
5/5/ :05 PM
Open Source
Azure VNet for Containers
Microsoft Contributing to open source project
CNI project, portability to Windows
Azure VNet for Containers project, CNI plugin for Azure
Microsoft is serious about open source and about serving as a committed participant in the open source community. We want to contribute fresh, innovative solutions for the community to share and build on. In this spirit, we are making available the complete and scalable Azure networking stack for containers that run on the Azure platform. A completely open source Container Network Interface (CNI) plug-in, sponsored by the Linux foundation, will work with different orchestrators on any platform—without vendor lock-in—and open up the benefits of the Azure networking stack for the community to implement their own versions in Windows and Linux
Allowing the community to contribute to, modify, and engage with the Azure network stack.
The significance of this announcement is that the container approach has not been available for networking before now. To network between containers, customers needed an overlay—which has an impact on performance—and had to use different vendors for different functionality such as load balancing, security, and on-premises connections.
Azure Virtual Network for Containers will provide all that functionality at no extra cost, with the familiar Software Defined Networking (SDN) stack that is available in Azure VMs today. And you can use any third- party orchestrator to create Containers and leverage the Azure network as the platform. To learn more about Azure Virtual Network for Containers
A single Azure open-source project for all things container networking on Azure
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Open & Modular Architecture
5/5/ :05 PM
Open & Modular Architecture
Container1
Container2
Container3
Application Containers
Orchestrator
(Kubernetes, DC/OS, Service Fabric)
Container Runtime (Docker)
CNI
Container hosting environment
3rd party plugins
Network Plugin
IPAM Plugin
Open architecture – our SDN works with every partner
Azure offers a rich Software Defined Networking stack to accomplish the Network Virtual functions for virtual machines. Customers can deploy VMs into virtual private networks (VNets), set up network ACLs, load balancing, internet connectivity and connect back to on-premises through hybrid technologies. Today, we are announcing that all these network virtual functions can also be leveraged for containers running in Azure. ‘Azure Virtual Network’ for containers is a CNI plugin that works with various container orchestration engines to impart SDN to containers. This solution is also integrated to ‘Azure Container Service Engine’ such that this is readily available for a customer when using the kubernetes SKU. Some of the unique benefits of the product are:
• Every container gets a directly addressable private IP addresses from the Vnet
• The containers can communicate with one another by using the private IP address. No overlay or complex routing will be required.
• The containers can be configured behind the Azure Load Balancer
• The container IP addresses can be programmed in Azure Network Security groups to provide fine grained access control across VM instances.
• The containers will have full connectivity to rest of the Virtual as well as on-premises through ExpressRoute or S2S VPN
Operating System (Windows, Linux)
OS environment
IP1
IP2
IP3
Containers as first class citizens on Network
Azure SDN
Service Chaining, Security, Connectivity
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Azure Container Service
5/5/ :05 PM
Azure Container Service
Azure CNI plugin integrated and available through settings on ACS engine, allowing users to turn on CNI plugin on the settings template and start using with their container orchestrator.
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. 5/5/ :05 PM
Demo
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Demo Setup Azure VNet Kubernetes Cluster Subnet 10.240.0.0/12
5/5/ :05 PM
Demo Setup
Kubernetes Cluster Subnet /12
Database Subnet /24
Master
NSG
Linux Agent
Linux Agent
LinuxVM
HR VM
Pod1 (nginx)
Pod2 (nginx)
Pod3 (nginx)
Azure VNet
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Takeaways One SDN Performance Integration On premises & Cloud
5/5/ :05 PM
Takeaways
One SDN
Performance
Integration
On premises & Cloud
VMs & Containers
Linux & Windows
Benefits:
- Battle tested
- Designed to scale
High performance networks – Azure Accelerated Networking
Low-latency, high- bandwidth connections on Linux and Windows
Click of a button, fully integrated to ACS
Benefits:
Battle tested, enterprise-grade network
Routing, security, NFV
Uniform policies, designed to scale
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. 5/5/ :05 PM
References
GitHub -
Azure VNet -
Azure Container Services Engine -
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.