A deep-dive into Azure Networking!

Transcription

1 A deep-dive into Azure Networking! Karim Vaes

2 Karim Vaes Former Azure MVP, Now TSP Microsoft or Cloud Solution Architect with a focus on Application Development on

3 Networking Patterns Routing Outbound Connections Network Virtual Appliance Cost Drivers Q&A Agenda

4 Networking Patterns

5

6 Island Mode

7 Hybrid Connection

8 Network Virtual Appliance

9 Northbound Southbound

10 WAF NGFW

11 Hub & Spoke Model

12 Growth Model Island Mode Hybrid Connection NGFW +WAF +NGFW Hub & Spoke

13 Routing Basics

14 Azure Routing Explained Longest Prefix Matching Wins In case of tie 1. User Defined Route (Custom) 2. Border Gateway Protocol (BGP) 3. System Route (Azure Default)

15 Longest Prefix Matching Target IP = Configured Routes / / / /32 => WINS (LPM)

16 Routing Beyond the Basics

17 Injection Dedicated PaaS Services, like for example App Service Environment Service Endpoints & Service Injection

18 VNET Peering

19 One more thing Conflicting / overlapping IP plans

20 Outbound Connections

21 Scenario Method Protocols Description VM with own PIP VM behind LB VM without PIP or LB SNAT only SNAT with PAT using LB PIP SNAT with PAT using shared PIP TCP, UDP, ICMP, ESP TCP, UDP TCP, UDP Azure uses the public IP assigned to the IP configuration of the instance's. The instance has all ephemeral ports available. Azure shares the public IP address of the public Load Balancer frontends with multiple private IP addresses. Azure uses ephemeral ports of the frontends to PAT. Azure automatically designates a public IP address for SNAT, shares this public IP address with multiple private IP addresses of the availability set, and uses ephemeral ports of this public IP address. This is a fallback scenario for the preceding scenarios. We don't recommend it if you need visibility and control. What IP will be seen externally?

22 Gotcha of the day Using an Internal Standard Load Balancer? Assign a PIP per node or Add the nodes to a External Load Balancer with dummy rules Or the nodes won t be able to reach the outside world

23 Load Balancer Trivia Using an External Standard Load Balancer Secure by Default Closed by default for public IP and Load Balancer endpoints and a network security group must be used to explicitly whitelist for traffic to flow!

24 Network Virtual Appliance

25 Before anything Draw a high level 10 mile high overview of your security rules!

26 ... which everyone can understand!

27 and then start discussing the NVA

28 Now let s talk about Network Virtual Appliances

29 Firewalls in Physical Networks

30 Azure = Layer 3 + Address Space /8 Trusted subnet /16 Untrusted subnet /16

31 Floating IP = Load Balancer Are you alive? All good Are you alive? All good

32 How many s does it take

33 Flow Symmetry Single Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Src Port: X Dest Port: Y Payload Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Src Port: Y Dest Port: X Payload

34 Flow Symmetry Single

35 Flow Symmetry Single Src IP Addr Trusted VM IP Dest IP Addr: Untrusted VM IP Src Port: X Dest Port: Y Payload Src IP Addr Untrusted VM IP Dest IP Addr: Trusted VM IP Src Port: Y Dest Port: X Payload

36 Flow Symmetry Dual SNAT reversed SNAT

37 Responding to probes From: From: From: From:

38 Key Takeaways Floating IP = Load Balancer IP Dual = Complex Require SNAT Test NVA response to probes Single (recommended) No SNAT needed

39 Cost Drivers

40

41 Understand cost drivers Design accordingly Network is mostly <1% of the cost What to remember?

42 If you are reading this You made it to the end! (without falling asleep)

43 Surely there must be... questions which I can answer for you!

44 FUTURE READY AZURE SKILLS Do you want to gain more knowledge about Microsoft technology? The Future Ready Skills program offers online courseware, online labs, live Q&A s and expert sessions, so you can acquire your official Microsoft Certificate in the most efficient way. For more information: aka.ms/frsblog

45 Next Session 17:30 18:30 Windows 10 is not your Daddy s Windows anymore Security improvements in the last builds Kim Oppalfens & Tom Degreef