Presentation is loading. Please wait.

Presentation is loading. Please wait.

Azure Networking Michael Askins May 16, 2019.

Published byElsa Marika Heikkilä Modified over 5 years ago

Similar presentations

Presentation on theme: "Azure Networking Michael Askins May 16, 2019."— Presentation transcript:

1 Azure Networking Michael Askins May 16, 2019

2 Agenda What is Azure Networking? Breaking it down Azure Scaffold
Types of Solutions Monitoring And Security Azure Scaffold

3 What is Azure Monitor? An Overview of the Service

4 Enables resources to communicate with other resources, the internet, and on-premises networks
Scoped to a single region by default or multiple using Virtual Network Peering. Azure Virtual Network

5 Key Capabilities of Azure Networking
Isolation and segmentation Communicate with the internet Communicate between Azure resources Communicate with on-premises resources Filter network traffic Route network traffic Connect virtual networks Key Capabilities of Azure Networking Isolation and segmentation You can implement multiple virtual networks within each Azure subscription and Azure region. Each virtual network is isolated from other virtual networks. For each virtual network you can: Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign. Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet. Use Azure-provided name resolution, or specify your own DNS server, for use by resources in a virtual network. Communicate with the internet All resources in a virtual network can communicate outbound to the internet, by default. You can communicate inbound to a resource by assigning a public IP address or a public Load Balancer. You can also use public IP or public Load Balancer to manage your outbound connections. To learn more about outbound connections in Azure, see Outbound connections, Public IP addresses, and Load Balancer. When using only an internal Standard Load Balancer, outbound connectivity is not available until you define how you want outbound connections to work with an instance-level public IP or a public Load Balancer. Communicate between Azure resources Azure resources communicate securely with each other in one of the following ways: Through a virtual network: You can deploy VMs, and several other types of Azure resources to a virtual network, such as Azure App Service Environments, the Azure Kubernetes Service (AKS), and Azure Virtual Machine Scale Sets. To view a complete list of Azure resources that you can deploy into a virtual network, see Virtual network service integration. Through a virtual network service endpoint: Extend your virtual network private address space and the identity of your virtual network to Azure service resources, such as Azure Storage accounts and Azure SQL databases, over a direct connection. Service endpoints allow you to secure your critical Azure service resources to only a virtual network. To learn more, see Virtual network service endpoints overview. Communicate with on-premises resources You can connect your on-premises computers and networks to a virtual network using any combination of the following options: Point-to-site virtual private network (VPN): Established between a virtual network and a single computer in your network. Each computer that wants to establish connectivity with a virtual network must configure its connection. This connection type is great if you're just getting started with Azure, or for developers, because it requires little or no changes to your existing network. The communication between your computer and a virtual network is sent through an encrypted tunnel over the internet. To learn more, see Point-to-site VPN. Site-to-site VPN: Established between your on-premises VPN device and an Azure VPN Gateway that is deployed in a virtual network. This connection type enables any on-premises resource that you authorize to access a virtual network. The communication between your on-premises VPN device and an Azure VPN gateway is sent through an encrypted tunnel over the internet. To learn more, see Site-to-site VPN. Azure ExpressRoute: Established between your network and Azure, through an ExpressRoute partner. This connection is private. Traffic does not go over the internet. To learn more, see ExpressRoute. Filter network traffic You can filter network traffic between subnets using either or both of the following options: Security groups: Network security groups and application security groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port, and protocol. To learn more, see Network security groups or Application security groups. Network virtual appliances: A network virtual appliance is a VM that performs a network function, such as a firewall, WAN optimization, or other network function. To view a list of available network virtual appliances that you can deploy in a virtual network, see Azure Marketplace. Route network traffic Azure routes traffic between subnets, connected virtual networks, on-premises networks, and the Internet, by default. You can implement either or both of the following options to override the default routes Azure creates: Route tables: You can create custom route tables with routes that control where traffic is routed to for each subnet. Learn more about route tables. Border gateway protocol (BGP) routes: If you connect your virtual network to your on-premises network using an Azure VPN Gateway or ExpressRoute connection, you can propagate your on-premises BGP routes to your virtual networks. Learn more about using BGP with Azure VPN Gateway and ExpressRoute. Connect virtual networks You can connect virtual networks to each other, enabling resources in either virtual network to communicate with each other, using virtual network peering. The virtual networks you connect can be in the same, or different, Azure regions. To learn more, see Virtual network peering.

6 Azure Networking Overview
Global network Build your network in the cloud to reach your customers, on-premises users, and resources on a global scale Secure your environment More compliance certification offerings than any other cloud service provider Monitor your resources Determine the effectiveness and security of your applications and resources Reliable and private Making Azure a natural extension of your existing network. Rely on a global network Intelligently monitor your resources Secure your apps and infrastructure Make reliable, private connections Gain insight into the performance of all your applications, services, and resources using integrated tools and services in Azure, including Network Performance Monitor (NPM) which is part of the Azure Log Analytics suite. Monitor end-to-end connectivity and performance between your branch offices and Azure using NPM for Azure ExpressRoute. Track the performance, security, and health of your infrastructure with the tools available in Azure Monitor. Quickly diagnose problems and mitigate issues in your network with packet capturing, flow log analysis, and alerting in Azure Network Watcher. Limit traffic to resources and applications in your virtual network with network security groups. Configure network security as an extension of your application’s structure and replicate your security policy with application security groups. Protect your applications from web vulnerabilities and exploits with web application firewall. Extend basic threat and DDoS protection with Azure DDoS Protection, offering resource-level protection, logging, alerting, and telemetry to further protect your virtual network from attacks. Seamlessly deploy your advanced networking infrastructure using a highly available global Azure DNS with your Azure Virtual Network resources. Optimize applications across Azure Availability Zones and multiple regions with Azure Load Balancer. Build scalable, secure, and highly available web front-ends in Azure with Azure Application Gateway. Accelerate performance and availability of your content to customers worldwide with Azure Content Delivery Network. Create a private and fast network connection to Azure with Azure ExpressRoute and take advantage of a global networkowned and operated by Microsoft. Connect two Azure virtual networks anywhere without the overhead of using gateways to broker the connection with virtual network peering. Securely and privately access your Azure resources with built-in VPN capabilities in Azure Virtual Network. You’ll find point-to-site functionality and site-to-site options for region to region or connectivity to your own datacenter with multiple bandwidth options and support from multiple leading appliance vendors.

7 Types of Resources Find the networking product you need

8 Content Delivery Network Azure Front Door Service
Networking in Azure Content Delivery Network Ensure secure, reliable content delivery with broad global reach ExpressRoute Dedicated private network fiber connections to Azure Azure DNS Host your DNS domain in Azure Virtual Network Provision private networks, optionally connect to on-premises datacenters Traffic Manager Route incoming traffic for high performance and availability Load Balancer Deliver high availability and network performance to your applications VPN Gateway Establish secure, cross-premises connectivity Application Gateway Build secure, scalable, and highly available web front ends in Azure Azure DDoS Protection Protect your applications from Distributed Denial of Service (DDoS) attacks Network Watcher Network performance monitoring and diagnostics solution Azure Firewall Native firewalling capabilities with built-in high availability, unrestricted cloud scalability, and zero maintenance Virtual WAN Optimize and automate branch to branch connectivity through Azure Azure Front Door Service Scalable, security-enhanced delivery point for global, microservice-based web applications

9 Virtual Network Load Balancer Application Gateway VPN Gateway DNS CDN
Connect everything from virtual machines to incoming VPN connections Virtual Network Balance inbound and outbound requests to your applications or service endpoints Load Balancer Optimize delivery from application server farms while increasing security with a web application firewall Application Gateway Securely use the internet to access Azure Virtual Networks with high performance VPN gateways VPN Gateway Ensure ultra-fast DNS responses and ultra-high availability for all your domain needs DNS Accelerate the delivery of high-bandwidth content to customers worldwide CDN Protect your Azure applications from the impacts of DDoS attacks DDoS Protection Distribute traffic to services across global regions, while providing high availability and responsiveness Traffic Manager Add private network connectivity to access Microsoft cloud services from your corporate networks ExpressRoute Monitor and diagnose conditions at a network scenario level Network Watcher Firewalling capabilities with built-in high availability, unrestricted cloud scalability, and zero maintenance Azure Firewall Connect sites with a unified wide-area network portal Virtual WAN Scalable, security-enhanced delivery point for global, microservice-based web applications Front Door Service

10 Overview of Resources Touching on each area of Azure Network

11 Content Delivery Network
Reduce load times, save bandwidth, and speed responsiveness Deep integration CDN works seamlessly with Azure services Massive capacity CDN easily handles sudden traffic spikes and heavy loads Developer-friendly Azure APIs and developer tools Robust security Mitigate security threats Multiple providers Build and tailor your content delivery strategy with a choice of providers. Advanced analytics Gain insights about customer workflows and business needs Deep integration CDN works seamlessly with Azure services, including Web Apps, Media Services, Storage, and Cloud Services. Apply CDN to your scenarios in just a few clicks. Massive capacity With its distributed, global presence, CDN easily handles sudden traffic spikes and heavy loads—for example, during major product launches or global sporting events—without new infrastructure costs or capacity concerns. Developer-friendly Azure APIs and developer tools give you the performance, reliability, and security you need to build global applications fast. Our APIs also give customers the flexibility to optimize features for availability and performance. Robust security Mitigate security threats on the content distribution network, such as distributed denial-of-service attacks. Optimize security by enabling HTTPS for your domain names, without additional cost or certificate management. Multiple providers Build and tailor your content delivery strategy with a choice of providers. Azure CDN integrates with services from Akamai and Verizon, enabling customers to select the right solution for their needs—for example, for load balance across content delivery networks. Advanced analytics Gain insights about customer workflows and business needs by tracking engagement with the content. See how customers are receiving and caching assets, and further monitor traffic on the content delivery network using real-time and granular analytics.

12 ExpressRoute Experience a faster, private connection to Azure
Private connections (not over public internet) Increased reliability and speed Lower latency Bandwidth up to 100 Gbps Connects directly to your WAN Connect on-premises networks using the Microsoft global network Use Azure ExpressRoute to create private connections between Azure datacenters and infrastructure on your premises or in a colocation environment. ExpressRoute connections don't go over the public Internet, and they offer more reliability, faster speeds, and lower latencies than typical Internet connections. In some cases, using ExpressRoute connections to transfer data between on-premises systems and Azure can give you significant cost benefits. With ExpressRoute, establish connections to Azure at an ExpressRoute location, such as an Exchange provider facility, or directly connect to Azure from your existing WAN network, such as a multiprotocol label switching (MPLS) VPN, provided by a network service provider. Use a virtual private cloud for storage, backup, and recovery ExpressRoute gives you a fast and reliable connection to Azure with bandwidths up to 100 Gbps, which makes it excellent for scenarios like periodic data migration, replication for business continuity, disaster recovery, and other high-availability strategies. It can be a cost-effective option for transferring large amounts of data, such as datasets for high-performance computing applications, or moving large virtual machines between your dev-test environment in an Azure virtual private cloud and your on-premises production environments. Extend and connect your datacenters Use ExpressRoute to both connect and add compute and storage capacity to your existing datacenters. With high throughput and fast latencies, Azure will feel like a natural extension to or between your datacenters, so you enjoy the scale and economics of the public cloud without having to compromise on network performance. Build hybrid applications With predictable, reliable, and high-throughput connections offered by ExpressRoute, build applications that span on-premises infrastructure and Azure without compromising privacy or performance. For example, run a corporate intranet application in Azure that authenticates your customers with an on-premises Active Directory service, and serve all of your corporate customers without traffic ever routing through the public Internet.

13 Azure DNS DNS hosted alongside your apps Ultra-high availability
Host your domain in Azure for outstanding performance and availability DNS hosted alongside your apps Ultra-high availability Fast DNS queries Quick updates to DNS records Supports all common DNS record types Host your domain in Azure for outstanding performance and availability DNS hosted alongside your apps Ultra-high availability Fast DNS queries Quick updates to DNS records Supports all common DNS record types Host your DNS alongside your apps Use Azure DNS to host your Domain Name System (DNS) domains in Azure. Manage your DNS records using the same credentials, and billing and support contract, as your other Azure services. Seamlessly integrate Azure-based services with corresponding DNS updates and streamline your end-to-end deployment process. Accelerate your apps with fast DNS queries Azure DNS uses a global network of name servers to provide fast responses to DNS queries. We use Anycast networking, so DNS queries automatically route to the closest name servers to give you the best possible performance. Rely on the Microsoft global network of DNS servers The Microsoft global network of name servers has the scale and redundancy to give you ultra-high availability for your domains. With Azure DNS, you can be confident that your DNS will always be available. Get DNS updates without the wait When you add a new DNS record, the Azure DNS name servers are updated in a few seconds—so you don’t have to wait long before that DNS record can be used. Azure DNS Private Zones Preview Azure DNS Private Zones provides a simple, reliable, secure DNS service to manage and resolve names in a VNET without the need for you to create and manage custom DNS solution. This new capability allows you to use your own domain names, rather than the Azure-provided names available today, and provides name resolution for VM’s within a VNet and between VNets. Additionally, you can configure zones names with a split-horizon view allowing a private and a public DNS zone to share the same name. Use your favorite DNS appliances in Azure Industry best-of-breed appliances Easy to configure and manage Easily scalable and highly available Simplify your migration Use the brands you already know and the skills your team already has to bring advanced DNS capabilities (such as security through DNS filtering) to your virtual network while maintaining a familiar experience. Enhance your security Add advanced DNS security to your virtual network by deploying a DNS firewall, and help mitigate DNS-related security issues such as Phishing and Data Exfiltration. Learn more about DNS security appliances.

14 Your private network in the cloud
Virtual Network Your private network in the cloud Build a hybrid infrastructure that you control Bring your own IP addresses and DNS servers Secure your connections with an IPsec VPN or ExpressRoute Get granular control over traffic between subnets Create network topologies using virtual appliances Isolated and highly-secure environment for your applications Build a hybrid infrastructure that you control Bring your own IP addresses and DNS servers Secure your connections with an IPsec VPN or ExpressRoute Get granular control over traffic between subnets Create sophisticated network topologies using virtual appliances Get an isolated and highly-secure environment for your applications Enhance security and isolation Azure Virtual Network gives you an isolated and highly-secure environment to run your virtual machines and applications. Use your private IP addresses and define subnets, access control policies, and more. Use Virtual Network to treat Azure the same as you would your own datacenter. Rely on our global reach Traffic between Azure resources in a single region, or in multiple regions, stays in the Azure network—intra-Azure traffic doesn’t flow over the Internet. In Azure, traffic for virtual machine-to-virtual machine, storage, and SQL communication only traverses the Azure network, regardless of the source and destination Azure region. Inter-region virtual network-to-virtual network traffic also flows entirely across the Azure network. Build sophisticated network topologies In a virtual network, run your favorite network virtual appliances—WAN optimizers, load balancers, and application firewalls—and define traffic flows, allowing you to design your network with a greater degree of control. Extend your datacenter into the cloud Use Virtual Network to extend your on-premises IT environment into the cloud, like you set up and connect to a remote branch office. You have options to securely connect to a virtual network—choose an IPsec VPN or a private connection by using Azure ExpressRoute. Create hybrid applications Use Virtual Network to build your hybrid cloud applications that securely connect to your on-premises datacenter—so an Azure web application can access an on-premises SQL Server database, or authenticate customers against an on-premises Azure Active Directory service. IaaS and PaaS, better together Use Virtual Network to build your services that rely on Azure cloud services and Azure Virtual Machines. Use Azure web roles for your front end and virtual machines for backend databases. Combine platform as a service (PaaS) and infrastructure as a service (IaaS) in a virtual network to get more flexibility and scalability when you’re building apps. Tap your network traffic Mirror and share a deep copy of your in and outbound virtual network traffic. Take advantage of aggregation, packet collection and load balancing solutions by streaming traffic to a destination IP endpoint or an internal load balancer in the same Virtual Network, peered Virtual Network or Network Virtual Appliance that you can deploy from a growing list of Security, Network and Application performance management partners. Use the networking solution that is right for you Find and take advantage of popular networking appliances, load balancers, and firewall and traffic management solutions in the Azure Marketplace.

15 Traffic Manager Route incoming traffic for high performance and availability Obtain high availability with multiple automatic failover options Increase app responsiveness by leveraging performance routing Seamlessly combine on-premises systems and cloud systems Get actionable insights based on user traffic volumes and patterns DNS-based load balancing Azure Traffic Manager operates at the DNS layer to quickly and efficiently direct incoming DNS requests based on the routing method of your choice. An example would be sending requests to the closest endpoints, improving the responsiveness of your applications. Learn more. How Azure Traffic Manager Works Choose from flexible traffic routing options Azure Traffic Manager offers four types of DNS-based traffic routing: Failover, performance, geographic, and weighted round-robin. Choose the one that’s right for you or combine, using nested profiles. Reduce application downtime Traffic Manager can improve the availability of important applications by monitoring your Azure services, or external websites and services, automatically directing users to the next best location when there’s a failure. Improve app performance and content delivery Traffic Manager makes your applications more responsive and improves content delivery times by directing your customers to Azure end points or an external location with the lowest network latency. Distribute user traffic over multiple locations Traffic Manager can direct your customer traffic and distribute it across multiple locations, such as multiple cloud services or multiple Azure web apps. Traffic Manager can also help you with your geofencing needs, using the geographic routing method. Use with your on-premises datacenter Traffic Manager is a popular option for on-premises scenarios, including burst-to-cloud, migrate-to-cloud, and failover-to-cloud. Use it to upgrade or perform maintenance on your on-site datacenter without inconveniencing customers. Geographic fencing of your application users Traffic Manager provides you with Geographic routing capabilities to ensure content localization and adherence to data sovereignty regulations. Applying geofencing allows users connecting from specific geographic regions to be routed to specific endpoints. Obtain actionable insight about your users Use the Traffic View capability in Traffic Manager to see where your users are connecting from and the quality of their digital experience.

16 Load Balancer Deliver high availability and network performance
Instantly add scale to your applications Load balance Internet and private network traffic Improve application reliability via health checks Flexible NAT rules for better security integrated into VM and cloud services Native IPv6 support Deliver high availability and network performance to your applications Instantly add scale to your applications Load balance Internet and private network traffic Improve application reliability via health checks Flexible NAT rules for better security Directly integrated into virtual machines and cloud services Native IPv6 support Simplify load balancing for applications With built-in load balancing for cloud services and virtual machines, you can create highly-available and scalable applications in minutes. Azure Load Balancer supports TCP/UDP-based protocols such as HTTP, HTTPS, and SMTP, and protocols used for real-time voice and video messaging applications. High availability and robust performance for your applications Load Balancer automatically scales with increasing application traffic. Without you needing to reconfigure or manage the load balancer, your applications provide a better customer experience. Internal load balancer Use the internal load balancer for traffic between virtual machines inside your private virtual networks, or use it to create multi-tiered hybrid applications. Build highly reliable applications Load Balancer probes the health of your application instances, automatically takes unhealthy instances out of rotation, and reinstates them when they become healthy again. Use Load Balancer to improve application uptime. Secure your networks Control your inbound and outbound network traffic, and protect private networks using built-in network address translation (NAT). Secure your network and integrate network security groups with Load Balancer. Expand your reach using IPv6 Load-balanced IPv6 Internet connectivity all the way to native IPv6 endpoints on your Azure virtual machines. Native dual-stack endpoints help meet regulatory requirements and address the fast-growing number of devices in mobile and IoT markets looking to connect to Azure-based services.

17 VPN Gateway Industry-standard Site-to-Site IPsec VPNs
Connecting your infrastructure to the cloud Industry-standard Site-to-Site IPsec VPNs Point-to-Site VPN access from anywhere 99.9% uptime SLA for VPN gateways Highly available and easy to manage Secure connections from anywhere VPN Gateway Connecting your infrastructure to the cloud Industry-standard Site-to-Site IPsec VPNs Point-to-Site VPN access from anywhere 99.9% uptime SLA for VPN gateways Highly available and easy to manage Secure connections from anywhere Connect your datacenter to Azure Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE). Connect to your Azure virtual networks from anywhere Point-to-Site VPN lets you connect to your virtual machines on Azure virtual networks from anywhere, whether you are on the road, working from your favorite café, managing your deployment, or doing a demo for your customers.

18 Application Gateway Platform-managed, scalable, and highly available application delivery controller as a service 99.95 percent uptime service-level agreement for multi-instance deployments Customizable layer 7 load-balancing solution Integrated web application firewall Centralized SSL offload and SSL policy Support for cookie-based session affinity Support for public, private, and hybrid websites Management through Azure APIs Platform-managed, scalable, and highly available application delivery controller as a service 99.95 percent uptime service-level agreement for multi-instance deployments Customizable layer 7 load-balancing solution Integrated web application firewall Centralized SSL offload and SSL policy Support for cookie-based session affinity Support for public, private, and hybrid websites Management through Azure APIs Web application firewall Protect your applications from common web vulnerabilities such as SQL injection and cross-site scripting. Monitor your web applications using custom rules and rule groups to suit your requirements and eliminate false positives. Scalable, highly available web application delivery Get application-level load-balancing services and routing to build a scalable and highly available web front end in Azure. Autoscaling (preview) offers elasticity by automatically scaling Application Gateway instances based on your web application traffic load. Tight integration with Azure Application Gateway is integrated with several Azure services. Azure Traffic Manager supports multiple-region redirection, automatic failover, and zero-downtime maintenance. Use Azure Virtual Machines, virtual machine scale sets, or the Web Apps feature of Azure App Service in your back-end pools. Azure Monitor and Azure Security Center provide centralized monitoring and alerting, and an application health dashboard. Key Vault offers central management and automatic renewal of SSL certificates. End-to-end SSL Strong encryption from front end to back end helps to secure your data. Layer 7 intelligent routing Route traffic to back-end server pools with URL path-based routing, and to multiple web applications using host header-based routing. Efficient SSL offload and certificate management Scale your web application with SSL offload, and centralize SSL certificate management to reduce encryption and decryption overhead on your servers.

19 Azure DDoS Protection Protect your Azure resources from Distributed Denial of Service (DDoS) attacks Always-on monitoring and automatic network attack mitigation Adaptive tuning based on platform insights in Azure Application layer protection with Azure Application Gateway Web Application Firewall Integration with Azure Monitor for analytics and insights Protection against the unforeseen costs of a DDoS attack Always-on monitoring and automatic network attack mitigation Adaptive tuning based on platform insights in Azure Application layer protection with Azure Application Gateway Web Application Firewall Integration with Azure Monitor for analytics and insights Protection against the unforeseen costs of a DDoS attack DDoS attack protection with the scale and elasticity of Azure Backed by the Microsoft global network, DDoS Protection brings massive DDoS mitigation capacity to every Azure region. Scrub traffic at the Azure network edge before it can impact the availability of your service. Turnkey defense Cover all resources on a virtual network when you enable Azure DDoS Protection via simplified configuration. Always-on traffic monitoring provides near real-time detection of a DDoS attack, with no intervention required. DDoS Protection automatically mitigates the attack as soon as it’s detected. Adaptive tuning DDoS Protection provides advanced intelligence that automatically configures and tunes your DDoS Protection settings. The DDoS service understands your resources and resource configuration, and uses intelligent traffic-profiling to learn application traffic patterns over time. Multi-layered protection Deployed with Azure Application Gateway Web Application Firewall, DDoS Protection defends against a comprehensive set of network layer (layer 3/4) attacks, and protects web apps from common application layer (layer 7) attacks, such as SQL injection, cross-site scripting attacks, and session hijacks. Web Application Firewall comes preconfigured to handle threats identified by the Open Web Application Security Project top 10 common vulnerabilities. Near real-time metrics and alerts Native integration with Azure Monitor exposes attack metrics and telemetry alongside other resource telemetry. Flexible alerting mechanisms notify you when an application is under attack. Attack analytics Get detailed reports in five-minute increments during an attack, and a complete summary after the attack ends. Stream DDoS mitigation flow logs to an offline security information and event management (SIEM) system for near real-time monitoring during an attack. Rapid response Engage the DDoS Protection rapid response team for help with attack investigation, custom mitigation, and analysis. Protection against unplanned resource costs Receive service credit for resource costs incurred as a result of a documented DDoS attack.

20 Network Watcher Monitor, diagnose, and gain insights to your network performance and health Remotely capture packet data for your virtual machines Monitor your virtual machine network security using flow logs and security group view Diagnose your VPN connectivity issues Monitor, diagnose, and gain insights to your network performance and health Remotely capture packet data for your virtual machines Monitor your virtual machine network security using flow logs and security group view Diagnose your VPN connectivity issues Automate remote network monitoring with packet capture Monitor and diagnose networking issues without logging in to your virtual machines (VMs) using Network Watcher. Trigger packet capture by setting alerts, and gain access to real-time performance information at the packet level. When you see an issue, you can investigate in detail for better diagnoses. Gain insight into your network traffic using flow logs Build a deeper understanding of your network traffic pattern using Network Security Group flow logs. Information provided by flow logs helps you gather data for compliance, auditing and monitoring your network security profile Diagnose VPN connectivity issues Network Watcher provides you the ability to diagnose your most common VPN Gateway and Connections issues. Allowing you, not only, to identify the issue but also to use the detailed logs created to help further investigate.

21 Azure Firewall Stateful firewall as a service
Cloud-native network security to protect your Azure resources Stateful firewall as a service High availability with unrestricted cloud scalability Ability to centrally create, enforce, and log policies Threat intelligence-based filtering Source and destination Network Address Translation support Fully integrated with Azure Monitor Support for hybrid connectivity via VPN and ExpressRoute Gateways Stateful firewall as a service Built-in high availability with unrestricted cloud scalability Ability to centrally create, enforce, and log application and network connectivity policies Threat intelligence-based filtering Source and destination Network Address Translation (SNAT and DNAT) support Fully integrated with Azure Monitor for logging and analytics Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways Enable turnkey firewall capabilities in your virtual network to control and log access to apps and resources. Azure Firewall supports filtering for both inbound and outbound traffic, internal spoke-to-spoke, as well as hybrid connections through Azure VPN and ExpressRoute gateways. High availability and cloud scale Azure Firewall automatically scales with your usage during peak load or as your business grows, eliminating the need to predict and reserve capacity for peak usage. Network- and application-level connectivity policies Write policies that span fully-qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls, using IP address, port, and protocol. Restrict access, prevent data exfiltration, and create connectivity policies across multiple subscriptions and virtual networks. Intelligent near real-time security Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Azure Security Center. Communicate with Internet resources using SNAT and DNAT Azure Firewall utilizes a static public IP address for your virtual network resources using source network address translation (SNAT). This allows outside firewalls to identify traffic originating from your virtual network. Inbound traffic filtering for backend services in your Virtual Network (VNet) is supported by Destination Network Address Translation (DNAT). Central logging and analytics Use fully-integrated, built-in monitoring and reporting right in one place with Azure Monitor.

22 Virtual WAN Automated large-scale branch connectivity
Simple, unified, global connectivity and security Automated large-scale branch connectivity Unified network and policy management Optimized routing using the Microsoft global network Automated large-scale branch connectivity Unified network and policy management Optimized routing using the Microsoft global network Massive scale with software-defined connectivity Connect your global branch offices, point-of-sale locations, and sites using Azure and the Microsoft global network. Plan, configure, and seamlessly deploy new connections, tuned for a growing ecosystem of market-leading partners, OpenVPN clients and Azure ExpressRoute connections. One place for managing your network Deploy, manage and monitor your sites and connected Azure virtual networks through a unified portal experience. Optimize security and agility with our global network Experience optimal routing and minimal latency for branch-to-branch and branch-to-Azure connectivity. When you connect your on-premises sites to Azure and your traffic enters the Microsoft network, it stays there while traversing the globe.

23 Azure Front Door Service
Scalable and secure entry point for fast delivery of your global applications SSL offload and application acceleration at the edge close to end users Global HTTP load balancing with instant failover Actionable insights about your users and back ends Web Application Firewall (WAF) and DDoS Protection Central control plane for traffic orchestration SSL offload and application acceleration at the edge close to end users Global HTTP load balancing with instant failover Actionable insights about your users and back ends Web Application Firewall (WAF) and DDoS Protection Central control plane for traffic orchestration Globally distributed microservice applications Easily join your distributed microservice architectures into a single global application using HTTP load balancing and path-based routing rules. Automate turning up new regions and scale-out with API-driven global actions, and independent fault-tolerance to your back end microservices in Azure—or anywhere. Learn more Dynamic applications with global reach Deliver and protect your global application close to your end users with a "battle-tested" service built on world-class Microsoft Global Network infrastructure. Always keep your traffic on the best path to your app, improve your service scale, reduce latency, and increase throughput for your global users with edge load balancing and application acceleration. Global, real-time performance and availability for your app or API Flexibly route your users to the closest available backend—with instant failover—for changes in availability or on-the-path performance from your users to your backend. Front Door supports different load balancing algorithms to better manage your back end load, including round-robin, weighted round-robin, active/standby configurations, and cookie-based session affinity. Scale up your global application Offload SSL and domain management at the edge while accelerating dynamic content to improve agility and scale for your app—and performance for your users. Protect your app from attacks Stop network and application layer attacks at the edge with Web Application Firewall and DDoS Protection. Harden your service using Microsoft managed rule sets and author your own rules for custom protection of your app. Centralized traffic orchestration view Easily manage domain mapping and traffic to your microservice backends using one central, global dashboard. Actionable insights about your users and backends Get insights about where your users are connecting from and the quality of their experience, and select the optimal regions for your Azure back ends.

24 Respond What to do with Azure Monitor Information?

25 Full-Stack Visibility Proactive Optimization
Azure Monitor? Full-Stack Visibility View your applications, infrastructure, and network with analytics, dashboards, and visualization maps Intelligent Insights Analyze, correlate, and monitor data with anomaly detection and predictive analytics. Proactive Optimization Identify ways to improve your applications. Analyze user behavior and measure the impact of your changes. Open and Extensible Out-of-the-box integration with popular DevOps, issue management, ITSM, and SIEM tools.

26 Azure Advisor Another area of integration is Azure advisor, which is defined by Microsoft as a “personalized cloud consultant that helps you follow best practices to optimize your Azure deployments. It analyzes your resource configuration and usage telemetry and then recommends solutions.” It gives recommendations on how to enhance your Azure experience in 4 distinct ways: High Availability - Ensure and improve the continuity of your business-critical applications. Security - Detect threats and vulnerabilities that might lead to security breaches. Performance - Improve the speed of your applications Cost - Optimize and reduce your overall Azure spending Best yet, Azure Advisor recommendations come to you at no additional cost, and provides actionable results with, in many cases, step-by-step instructions and links on how to implement the suggestion. Azure Advisor runs separately on each subscription in your Azure environment and can be turned on and off for specific subscriptions or resource group. Azure Monitor can be enabled to send you alerts on these recommendations, keeping you up to date without having to check back to this section continuously

27 Next Steps: Azure Scaffold
Step 1: Governance Step 2: Hierarchy Definition Step 3: Naming Standards Step 4: Policy and Initiatives Step 5: Identity and Access Step 6: Security Step 7: Monitor and Alerts Step 8: Cost Management Step 9: Automation and DevOps Step 10: Core Network Before we end, I’d like to cover an offering Pragmatic Works has that takes all we covered into account and much more We call this offering the Azure scaffold, a Microsoft term that sets the framework for Azure architecture, but also can help validate your architecture Monitoring and Alerting, as shown in the highlighted section (step 7) is one of many topics we cover in this initiative. Other topics shown are customized and go into company-specific details on each specific area including: Step 1: Governance – Building a foundation Step 2: Hierarchy Definition – Organizing your Azure environment Step 3: Naming Standards – Making your Azure environment consistent Step 4: Policy and Initiatives – Managing your risk and enforcing rules Step 5: Identity and Access – Controlling Access to the Azure environment Step 6: Security – Protecting your Azure Resources Step 7: Monitor and Alerts – Collecting, Analyzing, and Sending telemetry data Step 8: Cost Management – Optimize and right-size your environment Step 9: Automation and DevOps – Save time and limit mistakes making items reusable *Step 10: Core Network - Ensure effective and secure data transfer

28 Thanks for Joining! Have Any Questions?
Thank you for joining todays session! Hopefully, you were able to take something away from today’s session that will help you better manage your Azure environment. I’d be glad to answer some questions with the time we have left if there are any in the queue

Download ppt "Azure Networking Michael Askins May 16, 2019."

Similar presentations

Unified Logs and Reporting for Hybrid Centralized Management

Unified Logs and Reporting for Hybrid Centralized Management
+ Logentries Is a Real-Time Log Analytics Service for Aggregating, Analyzing, and Alerting on Log Data from Microsoft Azure Apps and Systems MICROSOFT.

+ Logentries Is a Real-Time Log Analytics Service for Aggregating, Analyzing, and Alerting on Log Data from Microsoft Azure Apps and Systems MICROSOFT.
Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.

Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.
AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.

AuraPortal Cloud Helps Empower Organizations to Organize and Control Their Business Processes via Applications on the Microsoft Azure Cloud Platform MICROSOFT.
Device Maintenance and Management, Parental Control, and Theft Protection for Home Users Made Easy with Remo MORE and Power of Azure MICROSOFT AZURE APP.

Device Maintenance and Management, Parental Control, and Theft Protection for Home Users Made Easy with Remo MORE and Power of Azure MICROSOFT AZURE APP.
TOPdesk Service Management Software on Azure

TOPdesk Service Management Software on Azure
BLoyal Version 4: Real-Time, Omnichannel Loyalty and Engagement Solution Has Been Redesigned and Rebuilt on the Microsoft Azure Cloud Platform MICROSOFT.

BLoyal Version 4: Real-Time, Omnichannel Loyalty and Engagement Solution Has Been Redesigned and Rebuilt on the Microsoft Azure Cloud Platform MICROSOFT.
DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.

DocFusion 365 Intelligent Template Designer and Document Generation Engine on Azure Enables Your Team to Increase Productivity MICROSOFT AZURE APP BUILDER.
Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.

Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.
Hybrid Management and Security

Hybrid Management and Security
Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.

Ralleo Enterprise-Grade Solution for Managing Change and Business Transformation Provides Opportunities to Better Analyze Real-Time Data MICROSOFT AZURE.
Partner Logo Veropath Offers a Next-Gen Expense Management SaaS Technology Solution, Built Specifically to Harness Big Data Analytics Capabilities in Azure.

Partner Logo Veropath Offers a Next-Gen Expense Management SaaS Technology Solution, Built Specifically to Harness Big Data Analytics Capabilities in Azure.
Vidcoding Introduces Scalable Video and TV Encoding in the Cloud at an Affordable Price by Utilizing the Processing Power of Azure Batch MICROSOFT AZURE.

Vidcoding Introduces Scalable Video and TV Encoding in the Cloud at an Affordable Price by Utilizing the Processing Power of Azure Batch MICROSOFT AZURE.
New Heights by Guiding Them into the Cloud

New Heights by Guiding Them into the Cloud
Free Cloud Management Portal for Microsoft Azure Empowers Enterprise Users to Govern Their Cloud Spending and Optimize Cloud Usage and Planning MICROSOFT.

Free Cloud Management Portal for Microsoft Azure Empowers Enterprise Users to Govern Their Cloud Spending and Optimize Cloud Usage and Planning MICROSOFT.
Trial.iO Makes it Easy to Provision Software Trials, Demos and Training Environments in the Azure Cloud in One Click, Without Any IT Involvement MICROSOFT.

Trial.iO Makes it Easy to Provision Software Trials, Demos and Training Environments in the Azure Cloud in One Click, Without Any IT Involvement MICROSOFT.
NeoFirma Taps into the Microsoft Azure Cloud Platform to Deliver Digital Oilfield SaaS to North American Independent Oil and Gas Producers MICROSOFT AZURE.

NeoFirma Taps into the Microsoft Azure Cloud Platform to Deliver Digital Oilfield SaaS to North American Independent Oil and Gas Producers MICROSOFT AZURE.
Firefish Software for Professional Recruiters Stays Available Around the Clock from Any Device and Anywhere by Using the Microsoft Azure Platform Partner.

Firefish Software for Professional Recruiters Stays Available Around the Clock from Any Device and Anywhere by Using the Microsoft Azure Platform Partner.
A10 Networks vThunder Leverages the Powerful Microsoft Azure Cloud Platform to Offer Advanced Layer 4-7 Networking, Security on a Global Scale MICROSOFT.

A10 Networks vThunder Leverages the Powerful Microsoft Azure Cloud Platform to Offer Advanced Layer 4-7 Networking, Security on a Global Scale MICROSOFT.
Couchbase Server is a NoSQL Database with a SQL-Based Query Language

Couchbase Server is a NoSQL Database with a SQL-Based Query Language

Similar presentations

Ads by Google