Karim Vaes, profile picture
Uploaded byKarim Vaes
PPTX, PDF6,356 views

A Deepdive into Azure Networking

The document discusses various Azure networking patterns and concepts. It begins with an overview of networking patterns like island mode, hybrid connections, and using a network virtual appliance with a northbound and southbound configuration. It then covers routing basics in Azure like longest prefix matching and custom routes. Other sections discuss routing beyond the basics with service endpoints and injections. It also discusses outbound connections, load balancers, network virtual appliances, and cost drivers. The document provides explanations and examples throughout to illustrate Azure networking concepts.

Embed presentation

Downloaded 262 times
https://blog.kvaes.be/@kvaes Karim Vaes
Agenda Networking Patterns 01 Routing 02 Outbound Connections 03 Network Virtual Appliance 04 Cost Drivers 05 One More Thing 06 Q&A 07
Networking Patterns
Island Mode
Hybrid Connection
Network Virtual Appliance
Northbound Southbound
WAF NGFW
Hub & Spoke Model
Growth Model https://kvaes.wordpress.com/2017/10/02/azure-networking-blueprint-patterns-for-enterprises/ Island Mode Hybrid Connection NGFW +WAF +NGFW Hub & Spoke
Routing “Basics”
Azure Routing Explained • Longest Prefix Matching Wins • In case of tie… 1. User Defined Route (Custom) 2. Border Gateway Protocol (BGP) 3. System Route (Azure Default) https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
Longest Prefix Matching Target IP = 10.100.200.97 Configured Routes • 10.0.0.0/8 • 10.100.0.0/16 • 10.100.200.0/24 • 10.100.200.97/32 => WINS (LPM)
Routing “Beyond the Basics”
Service Endpoints & Service Injection Injection Dedicated PaaS Services, like for example App Service Environment https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/ https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
VNET Peering https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview
Layer 2 • Is not under –your- control… (due to the network virtualization layer) • Azure is all about Layer 3 in terms of design. • Use the Load Balancer to “work around” this.
One more thing Conflicting / overlapping IP plans
Outbound Connections
What IP will be seen externally? Scenario Method Protocols Description VM with own PIP SNAT only TCP, UDP, ICMP, ESP Azure uses the public IP assigned to the IP configuration of the instance's NIC. The instance has all ephemeral ports available. VM behind LB SNAT with PAT using LB PIP TCP, UDP Azure shares the public IP address of the public Load Balancer frontends with multiple private IP addresses. Azure uses ephemeral ports of the frontends to PAT. VM without PIP or LB SNAT with PAT using shared PIP TCP, UDP Azure automatically designates a public IP address for SNAT, shares this public IP address with multiple private IP addresses of the availability set, and uses ephemeral ports of this public IP address. This is a fallback scenario for the preceding scenarios. We don't recommend it if you need visibility and control.
Gotcha of the day • Using an Internal Standard Load Balancer? • Assign a PIP per node or • Add the nodes to a External Load Balancer with “dummy” rules • Or the nodes won’t be able to reach the outside world…
Load Balancer Trivia • Using an External Standard Load Balancer • “Secure by Default” • “Closed by default for public IP and Load Balancer endpoints and a network security group must be used to explicitly whitelist for traffic to flow!”
Network Virtual Appliance
Before anything Draw a high level 10 mile high overview of your security rules!
... which everyone can understand!
… and then start discussing the NVA
Now let’s talk about… Network Virtual Appliances
NICNIC NICNIC NIC NIC NIC NIC Firewalls in Physical Networks
Azure = Layer 3 + NICNIC NICNIC NIC NIC Trusted subnet 10.10.0.0/16 Untrusted subnet 10.20.0.0/16 Address Space 10.0.0.0/8
Floating IP = Load Balancer NIC NIC Are you alive? All good Are you alive? All good
How many NICs does it take…
Flow Symmetry – Single NIC NIC NIC NIC NIC Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Payload Src Port: X Dest Port: Y Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Payload Src Port: Y Dest Port: X
Flow Symmetry – Single NIC https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/
Flow Symmetry – Single NIC NIC NIC NIC NIC Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Payload Src Port: X Dest Port: Y Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Payload Src Port: Y Dest Port: X
Flow Symmetry – Dual NIC NICNIC NIC NIC NIC NIC SNAT SNAT reversed
Responding to probes NICNIC NIC NIC NIC NIC From: 168.63.129.16 From: 168.63.129.16 From: 168.63.129.16 From: 168.63.129.16
Key Takeaways • Floating IP = Load Balancer IP • Dual NIC = Complex • Require SNAT • Test NVA response to probes • Single NIC (recommended) • No SNAT needed
Cost Drivers
https://kvaes.wordpress.com/2018/01/04/understanding-the-budget-impact-of-azure-networking-on-your-architecture/
What to remember? • Understand cost drivers • Design accordingly • Network is mostly <2-3% of the cost
One More Thing
Azure Firewall What is it? • Stateful firewall as a Service • Built-in high availability with unrestricted cloud scalability • Centrally create, enforce, and log application and network connectivity policies across subscriptions and VNETs • Inbound NAT & Outbound SNAT support • Rule base works with DNS naming • First tier Azure service Diff with NGFW • Cannot be deployed outside of Azure • No IPS/DPI
Azure Virtual WAN When to use? • Bigger VPN scale needed (10Gbit & 100 connections) • O365 Integration • Breakout via Azure (0.0.0.0/0 to Azure) • Neutral Network HUB Gotcha • Virtual HUB is not global • O365 is currently Citrix only
Azure ExpressRoute Global Reach Global reach is an enhancement to Azure ER offering end to end IP transport. Compared to current functionality which allows customers to attach Azure to their WAN to consume services, Global Reach adds endpoint to end point transit allowing customers to the Azure backbone to route traffic between connected offices or entities. Direct ExpressRoute Direct provides customers with the ability to connect directly into Microsoft’s global network at peering locations strategically distributed across the world. ExpressRoute Direct provides dual 100Gbps connectivity, which supports Active/Active connectivity at scale.
Microsoft Azure Front Door (AFD) is a service that offers a single global entry point for customers accessing web apps, APIs, content and cloud services. Through a single pane of glass and global infrastructure, AFD enables Azure customers to build, manage and secure their global applications and content, migrate to cloud and modern microservice based architectures while improving their users’ experience. Cloud native, integrated Enables real-time hyperscale for single domain microservice apps where DNS traffic management cannot Provides applications with premium edge performance acceleration and caching via Microsoft’s unique global WAN Customers get a single pane of glass for service orchestration and global traffic optics Learn more. Microsoft Azure Front Door services Front Door global WAN global orchestration global optics end-user Regional App Stamp Regional App Stamp Regional App Stamp https://kvaes.wordpress.com/2018/10/03/trying-out-the-azure-front-door-service/
If you are reading this… You made it to the end! (withoutfallingasleep)
Surely there must be questions which I can answer for you!
Feedback? I would love to hear from you! For example : Please use another speaker next time!
A Deepdive into Azure Networking

More Related Content

PPTX
PPT Azure Firewall vs 3rd Party NVA Comparison v1.0.pptx
byFadhilMuhammad80
 
PPTX
Let's Talk About: Azure Networking
byPedro Sousa
 
PPTX
Part 01: Azure Virtual Networks – An Overview
byNeeraj Kumar
 
PDF
Azure Service Endpoints vs. Private Links
byMatthias Güntert
 
PPTX
Azure virtual network
byLalit Rawat
 
PDF
Az 104 session 5: Azure networking
byAzureEzy1
 
PPTX
Microsoft Azure Networking Basics
bySai Kishore Naidu
 
PPTX
Azure Network Security Groups (NSG)
byShawn Ismail
 
PPT Azure Firewall vs 3rd Party NVA Comparison v1.0.pptx
byFadhilMuhammad80
 
Let's Talk About: Azure Networking
byPedro Sousa
 
Part 01: Azure Virtual Networks – An Overview
byNeeraj Kumar
 
Azure Service Endpoints vs. Private Links
byMatthias Güntert
 
Azure virtual network
byLalit Rawat
 
Az 104 session 5: Azure networking
byAzureEzy1
 
Microsoft Azure Networking Basics
bySai Kishore Naidu
 
Azure Network Security Groups (NSG)
byShawn Ismail
 

What's hot

PPTX
Azure vnet
byzekeLabs Technologies
 
PPTX
Azure Networking (1).pptx
byRazith2
 
PDF
Azure Arc Overview from Microsoft
byDavid J Rosenthal
 
PPTX
Azure WAF
byCheah Eng Soon
 
PPTX
Azure Cloud PPT
byAniket Kanitkar
 
PDF
Understanding Azure Networking Services
byInCycleSoftware
 
PPTX
Azure migration
byArnon Rotem-Gal-Oz
 
PPTX
Azure Migrate
byMustafa
 
PPTX
Introduction to Microsoft Azure
byGuy Barrette
 
PPTX
Lets talk about: Azure Kubernetes Service (AKS)
byPedro Sousa
 
PDF
AWS Control Tower
byCloudHesive
 
PPTX
Get started With Microsoft Azure Virtual Machine
byLai Yoong Seng
 
PDF
Microsoft Azure Overview
byDavid J Rosenthal
 
PPTX
Azure fundamentals
byRaju Kumar
 
PPTX
Azure Identity and access management
byDinusha Kumarasiri
 
PPTX
Azure Networking - The First Technical Challenge
byAidan Finn
 
PDF
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
byEdureka!
 
PPTX
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
bysayyedghazali
 
PDF
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
byEdureka!
 
PPTX
Azure Availability Options
byEmre Martin
 
Azure vnet
byzekeLabs Technologies
 
Azure Networking (1).pptx
byRazith2
 
Azure Arc Overview from Microsoft
byDavid J Rosenthal
 
Azure WAF
byCheah Eng Soon
 
Azure Cloud PPT
byAniket Kanitkar
 
Understanding Azure Networking Services
byInCycleSoftware
 
Azure migration
byArnon Rotem-Gal-Oz
 
Azure Migrate
byMustafa
 
Introduction to Microsoft Azure
byGuy Barrette
 
Lets talk about: Azure Kubernetes Service (AKS)
byPedro Sousa
 
AWS Control Tower
byCloudHesive
 
Get started With Microsoft Azure Virtual Machine
byLai Yoong Seng
 
Microsoft Azure Overview
byDavid J Rosenthal
 
Azure fundamentals
byRaju Kumar
 
Azure Identity and access management
byDinusha Kumarasiri
 
Azure Networking - The First Technical Challenge
byAidan Finn
 
AWS Tutorial | AWS Certified Solutions Architect | Amazon AWS | AWS Training ...
byEdureka!
 
AZ-900T01 Microsoft Azure Fundamentals-01.pptx
bysayyedghazali
 
Azure Active Directory | Microsoft Azure Tutorial for Beginners | Azure 70-53...
byEdureka!
 
Azure Availability Options
byEmre Martin
 

Similar to A Deepdive into Azure Networking

PDF
ExpertsLive NL 2018 - A deepdive into Azure Networking
byKarim Vaes
 
PDF
Microsoft Azure Hybrid NetWorking principles
byKamelAbouSaleh1
 
PPTX
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
byjayshuklatrainer
 
PPTX
Azure networking components - CLoud Network
byKAMALKAMALUDIN8
 
PPTX
10052016115136.pptx
bydixitgangaiah
 
PDF
Networking deep dive
byJeroen Niesen
 
PPTX
Securely Publishing Azure Services
byBizTalk360
 
PPTX
CC.pptx
byRevathiparamanathan
 
PPTX
CC.pptx
byRevathiparamanathan
 
PPTX
Azure Networking: Innovative Features and Multi-VNet Topologies
byMarius Zaharia
 
PPTX
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
DOCX
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
PDF
Microsoft Azure Virtual Network description
byKamelAbouSaleh1
 
PPTX
The hidden secrets of azure networking
byMohamed Wali
 
PPTX
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
byjayshuklatrainer
 
PPTX
Azure Web App services
byAlexey Bokov
 
PPTX
Azure virtual machine-network
byThi Nguyen Dinh
 
PPTX
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
byShawn Ismail
 
PPTX
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
PDF
Azure networking update 201908
byJay Kim
 
ExpertsLive NL 2018 - A deepdive into Azure Networking
byKarim Vaes
 
Microsoft Azure Hybrid NetWorking principles
byKamelAbouSaleh1
 
A_Z-1_0_4T_00A-EN_U-Po_w_erPoint_06.pptx
byjayshuklatrainer
 
Azure networking components - CLoud Network
byKAMALKAMALUDIN8
 
10052016115136.pptx
bydixitgangaiah
 
Networking deep dive
byJeroen Niesen
 
Securely Publishing Azure Services
byBizTalk360
 
CC.pptx
byRevathiparamanathan
 
CC.pptx
byRevathiparamanathan
 
Azure Networking: Innovative Features and Multi-VNet Topologies
byMarius Zaharia
 
CCI2018 - Azure Network - Security Best Practices
bywalk2talk srl
 
AZ500 Secure Networking. and how things are implemented
bybharat4704
 
Microsoft Azure Virtual Network description
byKamelAbouSaleh1
 
The hidden secrets of azure networking
byMohamed Wali
 
A_Z-_104_T0_0_A-EN_U-Power_Point_04.pptx
byjayshuklatrainer
 
Azure Web App services
byAlexey Bokov
 
Azure virtual machine-network
byThi Nguyen Dinh
 
Exam 70-533 Module 2-Lesson 1 - Overview of Azure networking
byShawn Ismail
 
CCI2019 - Architecting and Implementing Azure Networking
bywalk2talk srl
 
Azure networking update 201908
byJay Kim
 

More from Karim Vaes

PDF
Security Essentials for Azure PaaS Lovers.pdf
byKarim Vaes
 
PPTX
Resiliency Patterns on Azure
byKarim Vaes
 
PDF
Global Azure Bootcamp 2018 - Oh no my organization went Azure
byKarim Vaes
 
PDF
Global Azure Bootcamp 2017 - Why I love S2D for MSSQL on Azure
byKarim Vaes
 
PDF
Global Azure Bootcamp 2017 - How to build a twitter bot in 15 minutes
byKarim Vaes
 
PPTX
Experts live2016 - Karim Vaes - end-to-end automation
byKarim Vaes
 
PPTX
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
byKarim Vaes
 
PPTX
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
byKarim Vaes
 
PPTX
The IT Crowd stance on writing advice documents
byKarim Vaes
 
PDF
Four Simple Rules for an Effective Meeting Rules (kvaes.be)
byKarim Vaes
 
Security Essentials for Azure PaaS Lovers.pdf
byKarim Vaes
 
Resiliency Patterns on Azure
byKarim Vaes
 
Global Azure Bootcamp 2018 - Oh no my organization went Azure
byKarim Vaes
 
Global Azure Bootcamp 2017 - Why I love S2D for MSSQL on Azure
byKarim Vaes
 
Global Azure Bootcamp 2017 - How to build a twitter bot in 15 minutes
byKarim Vaes
 
Experts live2016 - Karim Vaes - end-to-end automation
byKarim Vaes
 
Xylos Clients Day - Public cloud and security go hand in hand, if you approac...
byKarim Vaes
 
Azure Bootcamp 2016 - Docker Orchestration on Azure with Rancher
byKarim Vaes
 
The IT Crowd stance on writing advice documents
byKarim Vaes
 
Four Simple Rules for an Effective Meeting Rules (kvaes.be)
byKarim Vaes
 

Recently uploaded

PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
DevSecOps Learning Path - TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Incident Response Planning with a Foundation Model
byKim Hammar
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
HCI and Its Impact on individual quality of life.pdf
byParham Abolghasemi
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
Cybersecurity Prevention and Detection Specialization
byVICTOR MAESTRE RAMIREZ
 
PDF
Tracing the Thread: Decoding the Decision-Making Process with GraphRAG
byEnterprise Knowledge
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Cleveland, OH Developer Group Dec 2, 2025 Slides for December Demos
byLynda Kane
 
PDF
AI Star Keynote on Artificial Intelligence. OnWorld. OffWorld. InWorld
byAlison B. Lowndes
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
DevSecOps Learning Path - TryHackMe Certificate
byVICTOR MAESTRE RAMIREZ
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Incident Response Planning with a Foundation Model
byKim Hammar
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
HCI and Its Impact on individual quality of life.pdf
byParham Abolghasemi
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
Cybersecurity Prevention and Detection Specialization
byVICTOR MAESTRE RAMIREZ
 
Tracing the Thread: Decoding the Decision-Making Process with GraphRAG
byEnterprise Knowledge
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Cleveland, OH Developer Group Dec 2, 2025 Slides for December Demos
byLynda Kane
 
AI Star Keynote on Artificial Intelligence. OnWorld. OffWorld. InWorld
byAlison B. Lowndes
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
The Landscape of Computer Software Development Companies
byYash Singh
 

A Deepdive into Azure Networking

  • 2.
  • 3.
  • 4.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
    Azure Routing Explained •Longest Prefix Matching Wins • In case of tie… 1. User Defined Route (Custom) 2. Border Gateway Protocol (BGP) 3. System Route (Azure Default) https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
  • 15.
    Longest Prefix Matching TargetIP = 10.100.200.97 Configured Routes • 10.0.0.0/8 • 10.100.0.0/16 • 10.100.200.0/24 • 10.100.200.97/32 => WINS (LPM)
  • 16.
  • 17.
    Service Endpoints &Service Injection Injection Dedicated PaaS Services, like for example App Service Environment https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/ https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
  • 18.
  • 19.
    Layer 2 • Isnot under –your- control… (due to the network virtualization layer) • Azure is all about Layer 3 in terms of design. • Use the Load Balancer to “work around” this.
  • 20.
    One more thing Conflicting /overlapping IP plans
  • 21.
  • 22.
    What IP willbe seen externally? Scenario Method Protocols Description VM with own PIP SNAT only TCP, UDP, ICMP, ESP Azure uses the public IP assigned to the IP configuration of the instance's NIC. The instance has all ephemeral ports available. VM behind LB SNAT with PAT using LB PIP TCP, UDP Azure shares the public IP address of the public Load Balancer frontends with multiple private IP addresses. Azure uses ephemeral ports of the frontends to PAT. VM without PIP or LB SNAT with PAT using shared PIP TCP, UDP Azure automatically designates a public IP address for SNAT, shares this public IP address with multiple private IP addresses of the availability set, and uses ephemeral ports of this public IP address. This is a fallback scenario for the preceding scenarios. We don't recommend it if you need visibility and control.
  • 23.
    Gotcha of the day •Using an Internal Standard Load Balancer? • Assign a PIP per node or • Add the nodes to a External Load Balancer with “dummy” rules • Or the nodes won’t be able to reach the outside world…
  • 24.
    Load Balancer Trivia • Usingan External Standard Load Balancer • “Secure by Default” • “Closed by default for public IP and Load Balancer endpoints and a network security group must be used to explicitly whitelist for traffic to flow!”
  • 25.
  • 26.
    Before anything Draw ahigh level 10 mile high overview of your security rules!
  • 27.
    ... which everyonecan understand!
  • 28.
    … and thenstart discussing the NVA
  • 29.
  • 30.
  • 31.
    Azure = Layer3 + NICNIC NICNIC NIC NIC Trusted subnet 10.10.0.0/16 Untrusted subnet 10.20.0.0/16 Address Space 10.0.0.0/8
  • 32.
    Floating IP =Load Balancer NIC NIC Are you alive? All good Are you alive? All good
  • 33.
    How many NICsdoes it take…
  • 34.
    Flow Symmetry –Single NIC NIC NIC NIC NIC Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Payload Src Port: X Dest Port: Y Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Payload Src Port: Y Dest Port: X
  • 35.
    Flow Symmetry –Single NIC https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/
  • 36.
    Flow Symmetry –Single NIC NIC NIC NIC NIC Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Payload Src Port: X Dest Port: Y Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Payload Src Port: Y Dest Port: X
  • 37.
    Flow Symmetry –Dual NIC NICNIC NIC NIC NIC NIC SNAT SNAT reversed
  • 38.
    Responding to probes NICNIC NIC NIC NIC NIC From:168.63.129.16 From: 168.63.129.16 From: 168.63.129.16 From: 168.63.129.16
  • 39.
    Key Takeaways • FloatingIP = Load Balancer IP • Dual NIC = Complex • Require SNAT • Test NVA response to probes • Single NIC (recommended) • No SNAT needed
  • 40.
  • 41.
  • 42.
    What to remember? •Understand cost drivers • Design accordingly • Network is mostly <2-3% of the cost
  • 43.
  • 44.
    Azure Firewall What isit? • Stateful firewall as a Service • Built-in high availability with unrestricted cloud scalability • Centrally create, enforce, and log application and network connectivity policies across subscriptions and VNETs • Inbound NAT & Outbound SNAT support • Rule base works with DNS naming • First tier Azure service Diff with NGFW • Cannot be deployed outside of Azure • No IPS/DPI
  • 45.
    Azure Virtual WAN Whento use? • Bigger VPN scale needed (10Gbit & 100 connections) • O365 Integration • Breakout via Azure (0.0.0.0/0 to Azure) • Neutral Network HUB Gotcha • Virtual HUB is not global • O365 is currently Citrix only
  • 46.
    Azure ExpressRoute Global Reach Globalreach is an enhancement to Azure ER offering end to end IP transport. Compared to current functionality which allows customers to attach Azure to their WAN to consume services, Global Reach adds endpoint to end point transit allowing customers to the Azure backbone to route traffic between connected offices or entities. Direct ExpressRoute Direct provides customers with the ability to connect directly into Microsoft’s global network at peering locations strategically distributed across the world. ExpressRoute Direct provides dual 100Gbps connectivity, which supports Active/Active connectivity at scale.
  • 47.
    Microsoft Azure FrontDoor (AFD) is a service that offers a single global entry point for customers accessing web apps, APIs, content and cloud services. Through a single pane of glass and global infrastructure, AFD enables Azure customers to build, manage and secure their global applications and content, migrate to cloud and modern microservice based architectures while improving their users’ experience. Cloud native, integrated Enables real-time hyperscale for single domain microservice apps where DNS traffic management cannot Provides applications with premium edge performance acceleration and caching via Microsoft’s unique global WAN Customers get a single pane of glass for service orchestration and global traffic optics Learn more. Microsoft Azure Front Door services Front Door global WAN global orchestration global optics end-user Regional App Stamp Regional App Stamp Regional App Stamp https://kvaes.wordpress.com/2018/10/03/trying-out-the-azure-front-door-service/
  • 48.
    If you arereading this… You made it to the end! (withoutfallingasleep)
  • 49.
    Surely there must bequestions which I can answer for you!
  • 50.
    Feedback? I would loveto hear from you! For example : Please use another speaker next time!

Editor's Notes

  • #2 Source o/t original : https://content.microsoftready.com/FY18Q3/session/API-AZD309
  • #47 Talking Points