1. Partner Practice Enablement - Overview This session is focused on networking with Microsoft Azure Infrastructure Services. Learn how to enable, secure and load balance network endpoints. Learn about hybrid connectivity options with Microsoft Azure Virtual Networks as well as distributing traffic globally with Microsoft Azure Traffic Manager. Audience: IT Professionals, Architects Module 1 – Introduction to Microsoft Azure Module 2 – Microsoft Azure Virtual Machines Module 3 – Microsoft Azure Networking Module 4 – Microsoft Azure Active Directory Module 5 - Cloud Services and Web Sites Module 6 - SQL Server and SharePoint Module 7 - Management and Monitoring

2. CEO & Co-Founder of Opsgility, Experts in Instructor-Led Microsoft Azure Training. Prior to starting Opsgility Michael was a Principal Cloud Architect with a leading Solution Integrator and a fifteen year Microsoft veteran. While at Microsoft Michael's roles included being a Senior Program Manager on the Microsoft Azure Runtime team and a Senior Technical Evangelist for Microsoft Azure Infrastructure Services. Michael was the original developer of the Microsoft Azure PowerShell Cmdlets and is a globally recognized speaker for conferences such as TechEd and BUILD. About the Instructor Michael Washam Microsoft Azure Trainer http://www.opsgility.com Twitter: @MWashamTX michael@Opsgility.com

3. Microsoft Azure Networking

4. Agenda Endpoints Virtual Networks Point to Site Site to Site ExpressRoute Traffic Manager

5. Endpoints

6. Overview: Connectivity in Azure VIP: Input Endpoint Input Endpoint cloudservice.cloudapp.net  VIP Public Virtual IP Address (VIP) Internal IP Address(s) Internal IP Address

7. Reserved IP Addresses Reserved IP Addresses for Cloud Service IPs Persistent external IP address even if all virtual machines are stopped or deleted. Set via the Azure PowerShell Cmdlets New-AzureReservedIP -ReservedIPName "myIP" ` -Location "West US" New-AzureVM -ReservedIPName "myIP"...

8. Port Forwarding Input Endpoints Single Public IP Per Cloud Service Multiple VMs cannot share the same public port

9. Per Virtual Machine Public IP Addresses Each virtual machine can be assigned a public IP address IP is not load balanced or behind firewall Not available in all regions 23.100.44.180 23.100.44.181 New-AzureVMConfig -Name "vm1"... | Add-AzureProvisioningConfig -Windows... | Set-AzurePublicIP -PublicIPName "vm1ip" | New-AzureVM...

10. DEMO Default Networking Configuration

11. Using the External Load Balancer Single Public IP Per Cloud Service Multiple VMs can share the same public port

12. TCP Health Probe

13. Health probe every 15 seconds HTTP 200 means healthy Traffic stops until 200 received (two failures) Continues polling until healthy Allows deeper inspection into the health of a web application via custom code. HTTP Health Probe

14. Load Balancer: Custom Health Probe

16. LAB 3 Load Balancer

17. Public Endpoint Access Control Lists Tighten security with public Access Control Lists

18. Configuring ACLs Rule Configuration Specify Remote Subnet(s) Permit or Deny and Rule Processing Order Description for each Rule Configuration Portal or PowerShell

19. LAB 4 Access Control Lists

20. Virtual Networks

21. Virtual Network Logical isolation with control over the network Create subnets; use your private IP addresses Support for Static IP addresses Support for Internal Load Balancing DNS options – BYO or Microsoft Azure-provided Extend your trust boundary – VMs and Cloud Services on the same Network Virtual Network subnetXsubnetY subnetZ DNS Server

22. Bring Your Own DNS Specify DNS Servers in the Virtual Network Hosted in an Azure VM External On-Premises (with hybrid connection) VMs are assigned specified DNS at boot. TIP: if DNS is added after a virtual machine is running a reboot is required for assignment.

23. Internal Load Balancing with Virtual Networks Virtual Network Address Space: 10.0.0.0/16 On Premises 192.168.0.0/16 Active Directory Replication Access on-premises resources Access intranet over hybrid connection https://spintranet Map to: 10.0.0.100 Set Internal Load Balancer IP New-AzureInternalLoadBalancerConfig http://spintranet Hybrid Connection

24. Static IP Addresses Use Static IP addresses to request a specific IP address be assigned to the virtual machine. Addresses available from assigned virtual network subnet. Will fail if another virtual machine has already been assigned the IP. Deploy Virtual Machines with Static IP addresses into their own subnets to avoid conflict with other virtual machines. Set via PowerShell (Set-AzureStaticVNetIP)

25. Microsoft Azure Hybrid Options CustomerDescription

26. Comparing Hybrid Options BandwidthSecurityManagementWorkloads ExpressRoute 10 Mbps – 10 Gbps Committed Bandwidth Private isolated network between provider and Azure. Control over routing and traffic. Configure once, simple to add new virtual networks Enterprise Connectivity Mission Critical Disaster Recovery Hybrid Applications Site-to-Site 80 Mbps No performance commitment Encrypted tunnel over the Internet Configuration of IPSEC VPN device for each Virtual Network Created Hybrid Applications Dev/Test Secure Management Point-to-Site 80 Mbps No performance commitment Encrypted tunnel over the Internet Configuration with each individual client machine. Dev/Test Secure Management CAPABILITIES

27. Hardware VPN or Windows RRAS Virtual Network WFEApp VPN Gateway Extend on-premises to the cloud securely (IPSec) On-ramp for migrating services to the cloud Use on-prem resources in Microsoft Azure (monitoring, AD, etc.) IPSec (IKEv1 and IKEv2) SQL DC/DNS Site-to-Site Virtual Network

28. Regional Virtual Networks Connect Virtual Networks Across Azure Regions or Subscriptions West US East US INTERNET IPSEC

29. Multi-Site Virtual Networks Secure IPSEC

30. Virtual Networks & P2S Connectivity Connect from anywhere securely Secure Sockets Tunneling Protocol (SSTP) Easy to setup and use Ideal for prototyping, dev, & demos P2S and S2S coexist Virtual Network WFEApp VPN Gateway SQL DC/DNS

31. LAB 5 POINT TO SITE

32. Virtual Network Device Options Generic VPN devices must support: IKE v1, v2 AES 128, 256 SHA1, SHA2 http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx

33. Creating a Virtual Network Always plan and create the virtual network first VMs are provisioned into a virtual network (cannot easily move an existing virtual machine to a VNET) Virtual Network configuration file Import/Export from the management portal – use as a template Applies to all VNETs in the selected subscription Create via Microsoft Azure management portal Create via PowerShell get-help azurevnet

34. Gateway redundancy and availability Gateway roles in Microsoft Azure has 2 instances (active-passive mode) A pair of VPN devices can be a redundant (i.e. F5 Big IP) and the RRAS service on Windows Server is supported in a clustered configuration.

35. Pricing and SLA $0.05/hour (~$37/month) Standard data transfer rates apply 99.9% Virtual Network gateway availability

36. Video Site-to-Site Virtual Networks

37. ExpressRoute

38. What is ExpressRoute? ExpressRoute provides organizations a private, dedicated, high-throughput network connection between Microsoft Azure datacenters and their on-premises IT environment.

39. ExpressRoute Providers WAN

40. Network Service Providers High Performance and Predictable Exchange Providers Monthly fee with included outbound data transfer. Unlimited inbound data transfer included Monthly dual-port fee. Unlimited data transfer (in and out) included

41. Enable mission critical workloads

42. Security and Privacy Direct connect to your infrastructure hosted in Microsoft Azure by passing the public Internet Direct connect to Microsoft Azure Services such as SQL Database and Microsoft Azure Storage Azure Edge Connectivity Provider Infrastructure ExpressRoute Circuit Dedicated and Private Traffic to Microsoft Azure Public Services Traffic to Microsoft Azure Virtual Networks Microsoft Azure Compute PUBLIC INTERNET

43. Public and Private peering Provider Infrastructure Direct internet traffic Cross Premises Internet bound Azure service access PUBLIC INTERNET

44. Public Services (West US) Virtual Network (West US) Public Peering Private Peering Express Route Circuit Isolated VLANs Microsoft Azure Private Network Virtual Network (East US) Public Services (East US) Traffic to on-premises Cross Region Connectivity

45. ExpressRoute and Disaster Recovery Active Directory SharePoint WEB Equinix – Silicon Valley Active Directory SharePoint App F5 BIG IP Load Balancer SharePoint App SQL Witness SQL Primary SharePoint WEB SQL Always On AVSET: SPWEB AVSET: SPAPP SQL Replica AVSET: AD ExpressRoute Circuit (1Gps) Sync Commit for Auto-Failover Domain Controller Microsoft Azure - West US

46. Deploying Globally with Traffic Manager

47. Traffic Manager – DNS Based Load Balancer Three Load Balancing Algorithms Performance, Round Robin, Fail Over Map your domain name to yourservice.trafficmanager.net with CNAME contoso.com -> contosotm.trafficmanager.net Map cloud service URLs in global data centers to Traffic Manager Profile. contosoeast.cloudapp.net contosowest.cloudapp.net Built in HTTP Health Probes for High Availability

48. Performance Traffic Manager determines fastest route for the client and returns IP for the appropriate cloud service.

49. Round Robin Traffic Manager returns IPs in a round robin fashion regardless of client location.

50. Failover Traffic Manager always returns the IP address of the primary cloud service unless it fails a health check. X

51. DEMO Microsoft Azure Traffic Manager

52. Summary Endpoints Virtual Networks Point to Site Site to Site ExpressRoute Traffic Manager

53. Coming Up Next... Microsoft Azure Active Directory

54. Thank You