Presentation is loading. Please wait.

Presentation is loading. Please wait.

Designing Networking and Hybrid Connectivity in Azure

Published byErick Parks Modified over 9 years ago

Similar presentations

Presentation on theme: "Designing Networking and Hybrid Connectivity in Azure"— Presentation transcript:

1 Designing Networking and Hybrid Connectivity in Azure
Yu-Shun Wang Program Manager Azure Networking

2 Networking in Azure Internet Connectivity Virtual Networks
Hybrid Connectivity

3 The Big Networking Picture
Virtual Networks Flexible, multi-tier topology Network segmentation Internal load balancing Azure Virtual Network Service consumers (Internet) Front-End Network Access Load-balanced and direct VIPs ACLs & DDoS protection Traffic Manager & Azure DNS On premises Datacenter Backend Connectivity Secure Internet cross premises VPN connectivity ExpressRoute – direct connectivity

4 Internet Connectivity

5 Traffic Manager: DNS-based Load Balancing
Performance - Direct to “closest” service based on network latency Round-robin - Distribute equally across all services Failover - Direct to “backup” service if primary fails —also included in other policies Load balancing policies

6 Nested Profile for Traffic Manager
MyApp.TrafficManager.net Performance Load Balancing WestUS. CloudApp.net EastUS. CloudApp.net EUNorth. TrafficManager.net EUWest. CloudApp.net AsiaEast. CloudApp.net JapanWest. CloudApp.net Weight=95% Weight=5% EUNorth. CloudApp.net EUNorth-new. CloudApp.net

7 Internet IP Addresses & Load Balancing
VIP Internet IP load balanced among one or more VM instances MUST explicitly “open” input endpoints Primarily for load balanced, highly available, or auto-scale scenarios PIP Internet IP assigned to a single VM exclusively Entire port ranges are accessible by default For applications that dispatch/redirect to a secondary port(s) on the same VM or require to target a specific VM Internet Microsoft Azure LB Cloud service Reserved VIP VM1 VM2 DIP1 DIP2

8 Azure Load Balancing Algorithms
Client 1 Client 2 Client 3 Default 5-tuple-hash based; spreading incoming connections to all active instances Source-IP-based affinity All connections from the same Internet client IP to the same backend server 2-tuple/3-tuple hash Scenarios Applications that require multiple connections to the same server Example: media streaming to establish control and data channel to same backend server VIP Azure Load Balancer VM Server Instance 1 VM Server Instance 2

9 Virtual Network

10 Azure Virtual Network Bring Your Own Network
On Premises 10.0/16 Bring Your Own Network Address spaces – Private/RFC1918 & Public IP* Multi-tier subnet topology Bring your own AD & DNS Linux, virtual appliances, & Windows Logical isolation with control over network segmentation using Network Security Groups Secure cross premises connectivity Internet S2S VPNs & ExpressRoute Direct Internet Connectivity VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 AD / DNS Azure Virtual Network

11 Network Security Groups
Enables network segmentation & DMZ Access Control List Filter conditions with allow/deny Individual addresses, address prefixes, wildcards Associate with VMs or subnets Ingress  Subnet ACLs  VM ACLs  VM Egress  Subnet ACLs  VM ACLs  VM On Premises 10.0/16 Internet Internet S2S VPNs VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

12 Internal Load Balancing
Internet Enables load balancing among VMs with private IP addresses Accessible only by customer’s virtual network and on-premises networks Multi-tier applications with internal facing tiers require load balancing HA LOB apps SQL Always On RDP to internal endpoints for added default security Replaces “Floating IPs” Public VIP Azure Virtual Network External load balancer Internal VIP Internal load balancer Back end Front end Web frontend tier Logic tier

13 Virtual Appliances

14 Multiple NICs in Azure VMs
Multiple NICs enable virtual appliances in Azure IaaS (Azure VMs); VNet only MAC/IP addresses persist through VM life cycle No user action required Separate frontend-backend traffic, and management-data planes Up to 4 NICs per VM Azure Virtual Machine NIC2 NIC1 Default Azure Virtual Network VIP: Internet Backend Subnet App Subnet Frontend Subnet

15 Bring Your Appliances to the Cloud
Building blocks Multiple NICs MAC address persistence Appliance ecosystem Barracuda NG Firewall Citrix NetScaler Riverbed Steelhead, SteelApp, SteelStore More to come! “Azure Certified”

16 Hybrid Connectivity

17 Hybrid Network Offerings
Cloud Customer Segment and workloads Secure point-to-site connectivity Developers POC Efforts Small scale deployments Connect from anywhere SMB, Enterprises Connect to Azure compute Secure site-to-site VPN connectivity ExpressRoute private connectivity SMB & Enterprises Mission critical workloads Backup/DR, media, HPC Connect to all Azure services

18 Multi-site & VNet-to-VNet connectivity
Multiple Site-to-Site connections Multiple on-premises sites connect to same virtual network VNet-to-VNet connectivity to any Azure datacenter Same region or cross regions For HA and DR, customers create virtual networks in different Azure regions Cross-subscription connectivity Virtual networks in different subscriptions can securely communicate using private IP addresses Multi-site & VNet-to-VNet Connect to multiple virtual networks and on-premises locations VNet2 East Asia 10.2/16 VNet1 US West 10.1/16 Contoso NorthAm HQ ( /16) Contoso East Asia ( /16)

19 Forced Tunneling “Force” or redirect customer Internet-bound traffic to an on-premises site Auditing & inspecting outbound traffic from Azure Needed by many scenarios for critical security and IT policy requirements On Premises Internet Forced Tunneled via S2S VPN S2S VPNs Internet VPN GW Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 Virtual Network

20 Gateway Enhancements High Performance Gateway No Encryption option
Better throughput More S2S tunnels Pricing $0.49 per gateway hour Data transfer & VNet traffic rates unchanged No Encryption option Better throughput for Vnet-to-Vnet within Azure Intra-/Inter-region Vnet-to-Vnet traffic stays within Microsoft networks, not Internet PFS Support for IKE Compliance requirements & better security Operations Logs Visibility into critical gateway events Gateway SKU ExpressRoute Throughput* S2S Throughput* Max Tunnels Default 500 Mbps 100 Mbps 10 Performance 1000 Mbps 200 Mbps 30 * Subject to traffic conditions and application behavior

21 ExpressRoute

22 Customers want Azure on their network
Microsoft Consumer Channels and Central Marketing Group 4/17/2017 Customers want Azure on their network IPsec VPN over Internet Greater networking costs and higher latency Data traverses the Internet to reach public cloud Limited bandwidth Azure WAN Customer DC Customer site 1 Customer site 2 Public internet Cloud on your WAN Avoids risks from exposure to Internet Avoids complexity and added costs Provides lower latency, higher bandwidth and greater availability Azure WAN Customer DC Customer site 1 Customer site 2 Public internet © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 ExpressRoute Connectivity Options
Azure Public Services Connectivity provider infrastructure Azure Edge Customer’s dedicated connection Customer’s network Azure Compute Traffic to public Azure IP addresses Traffic to Azure Virtual Networks

24 ExpressRoute Partners
Exchange Provider Network Service Provider ExpressRoute partner location Public internet Customer site Microsoft Azure Customer site 1 Customer site 2 Customer site 3 WAN Public internet Microsoft Azure

25 ExpressRoute Locations
US Atlanta Chicago Dallas Los Angeles New York Seattle Silicon Valley, CA Washington D.C. EMEA Amsterdam London, UK APAC Hong Kong Singapore Sydney Tokyo Locations AT&T British Telecom Colt Equinix Internet Initiative Japan (IIJ) Level3 Orange SingTel Tata Communications Telecity Group Telstra Verizon Partners Azure datacenters ExpressRoute Locations (today) New Locations and coming soon

26 Path Diversity for HA and DR
North Europe West Europe One VNet can be linked to many circuits Each circuit can be through different service providers in different locations HA + DR = Active-active in 1 location + active-active in 2nd location Aggregate Throughput determined by VNet Gateway size London Amsterdam

27 Path Diversity for HA and DR
Azure Region(s) Share an ExpressRoute circuit across multiple subscriptions Circuit owner must authorize and can revoke authorization Owner gets billed for usage Azure Services Storage SQL DB Websites R&D AD / DNS On-premises Network Sales AD / DNS Proxy / Interner edge SQL Farm IIS Servers ExpressRoute AD / DNS Monitoring Exchange Marketing AD / DNS

28 Enterprise-Grade Hyper-Scale Hybrid

29 4/17/2017 3:32 PM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Designing Networking and Hybrid Connectivity in Azure"

Similar presentations

Module 1: Demystifying Software Defined Networking Module 2: Realizing SDN - Microsoft’s Software Defined Networking Solutions with Windows Server 2012.

Module 1: Demystifying Software Defined Networking Module 2: Realizing SDN - Microsoft’s Software Defined Networking Solutions with Windows Server 2012.
WAN WAN ExpressRoute provides a private, dedicated, high-throughput network connection between on-premises and Microsoft Azure.

WAN WAN ExpressRoute provides a private, dedicated, high-throughput network connection between on-premises and Microsoft Azure.
Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Hybrid Hyper-scale Enterpris e Grade Azure compute regions.
OPTIMIZED DATA CENTER Well Managed Infrastructure & Applications CLOUD Service Oriented The Evolution Silo-ed Efficiency Host / Collocate Legacy Application.

OPTIMIZED DATA CENTER Well Managed Infrastructure & Applications CLOUD Service Oriented The Evolution Silo-ed Efficiency Host / Collocate Legacy Application.
Light IT up. Microsoft Learning Ignite | May 4 – 8, 2015 | Chicago, IL

Light IT up. Microsoft Learning Ignite | May 4 – 8, 2015 | Chicago, IL
Microsoft Ignite /16/2017 5:30 PM

Microsoft Ignite /16/2017 5:30 PM
Light IT up. Microsoft Learning Ignite | May 4 – 8, 2015 | Chicago, IL.

Light IT up. Microsoft Learning Ignite | May 4 – 8, 2015 | Chicago, IL.
38 sessions at TechEd talking about some aspect of “Hybrid”

38 sessions at TechEd talking about some aspect of “Hybrid”
Customer needs EnterpriseGrade HyperScale Hybrid.

Customer needs EnterpriseGrade HyperScale Hybrid.
The spring release of Windows Azure Infrastructure as a Service introduces new functionality that allows full control and management of virtual machines.

The spring release of Windows Azure Infrastructure as a Service introduces new functionality that allows full control and management of virtual machines.
Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Hybrid Hyper-scale Enterpris e Grade Azure compute regions.
CustomerSegment and workloads Virtual Network DNS Server Microsoft Azure.

CustomerSegment and workloads Virtual Network DNS Server Microsoft Azure.
Microsoft Azure Virtual Networks. Networking Compute Storage Virtual Machine Operating System Applications Data & Access Runtime Provision.

Microsoft Azure Virtual Networks. Networking Compute Storage Virtual Machine Operating System Applications Data & Access Runtime Provision.
DIRECT-TO-CLOUD Issues & Implications Dale McCarty.

DIRECT-TO-CLOUD Issues & Implications Dale McCarty.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
LB VIP:Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.

LB VIP:Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.
CONTROL COST-EFFICIENCY SharePoint (On-premises) SharePoint Value Prop Full h/w control – size/scale Roll-your-own HA/DR/scale Value Prop 100% of.

CONTROL COST-EFFICIENCY SharePoint (On-premises) SharePoint Value Prop Full h/w control – size/scale Roll-your-own HA/DR/scale Value Prop 100% of.
Windows Azure Virtual Networks. Agenda LB VIP: Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.

Windows Azure Virtual Networks. Agenda LB VIP: Input Endpoint Internal Endpoint foo.cloudapp.net  VIP.
Building Apps with IaaS and PaaS Name Title Organization.

Building Apps with IaaS and PaaS Name Title Organization.
Microsoft Azure Virtual Machines. Networking Compute Storage Virtual Machine Operating System Applications Data & Access Runtime Provision & Manage.

Microsoft Azure Virtual Machines. Networking Compute Storage Virtual Machine Operating System Applications Data & Access Runtime Provision & Manage.

Similar presentations

Ads by Google