expressroute fridays - microsoft...2016/09/30 · expressroute fridays with the c+e black belts...
TRANSCRIPT
ExpressRoute Fridayswith the C+E Black Belts
Olivier Martin (@omartin) – Azure Networking Black BeltKevin Lopez (@kevlopez) – ER Partner Sales ExecutiveJaime Schmidtke (@jaimesc) – ER Partner Sales ExecutiveKevin Sullivan (@kevinsul) – BCDR and ER Black belt
Before we get started
• Welcome customers and partners!!!
• Material is public information. No NDA info here.
• Use the IM window for questions.
• Sessions are recorded.
• We’ll post material @
http://aka.ms/AzureNetworkingFridays
• Ignite : Great new things!
• Deep dive topic of the week: • Guest Speaker : Karthik Ananthakrishnan (Azure Networking Principal
Product Manager for ExpressRoute)
• ExpressRoute Layer 2 Detailed Scenarios
• Azure Networking Partner Spotlight: Barracuda Networks (NGF)
• Open Q&A !
Agenda for September 30th, 2016
What’s new from Ignite 2016 ?!
High performance networking
Performance increase across all VM SKUs globally
SDN/Networking policy applied in
software in the host
Hardware accelerators used to apply
all policies
The Virtual Datacenter
Azure Active Directory
Azure subscription
Azure subscription
Azure subscription
AccessControl
AccessControl
AccessControl
Virtual Network Virtual Network Virtual NetworkVirtual Network
FW FW
IIS IIS
SQL
IIS IIS
SQL
FW FW
IIS IIS
SQL
FW FW
IIS IIS
SQLExpressRoute ExpressRoute
Internet Internet Internet Internet
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Building and running services on Azure
IPv6 for Azure VMs : General Availability
IPv4 Clients and Services
Azure VMs (IaaS)
Azure
Services &
Storage
Azure
Load
Balancer
Internet
Inbound&
Outbound
IPv6 IPv4
IPv6
VIP
IPv4
VIP
Azure
VM
IPv6 Clients & Services
VMVM
ModSecurity and Core Rule Set
Valid request
SQL Injection×
XSS attack× Application
Gateway
WAF
L7 LB
Site 1
Site 2
WAF SKU for Application GatewayAvailable for public and private endpoints
WAF logs integrated with Azure Insights Azure Security Center coming soon
Portal, PowerShell, SDK supported
Azure Security Center Azure Insights Storage
Application
Gateway
WAF
L7 LB
VM
SQL
VM
SQL
AG
AG
AG
Virtual Network
Virtual Network
Enables new virtual appliance scenarios
Secure and private cross-premises connectivity
BGP for redundant paths and dynamic routingAutomatic shortest path selection and failover
Transit over Microsoft global networkSecure connectivity using Internet only for “last mile”
Support on-premises network with multiple ISPs and VPN devices
From active-standby to active-active
Support both cross-premises and VNet-to-VNet connectivity
Spreading traffic over multiple tunnels simultaneously
Atlanta
Chicago
Los Angeles
Seattle
Silicon Valley Washington DC
AmsterdamDublin
London
Sao Paulo
Chennai
Hong Kong
Mumbai
Melbourne
Osaka
Singapore
Sydney
TokyoLas Vegas
TorontoMontreal
Quebec City
New York City
Dallas
Newport, WalesParis Beijing
Shanghai
Berlin
Frankfurt
Dallas
Washington DC
New York
Chicago
US Government
Germany
China
Gateway SKU
Max.
Throughput
(Gbps)
Standard 1
HighPerformance 2
UltraPerformance 10
Monitoring and Diagnostics
Deeper insights into your networkExpressRoute
• Peering connection statistics
• ARP table, Route Summary, Route Table
Virtual Network
• Effective security rules on every NIC
• Next hop and effective routes for every NIC in the subnet
Application Gateway
• Metrics and alerts
• Back end health information
Internet
Technical Deep Dive with special guest : Karthik AnanthakrishnanExpressRoute Principal Product Manager
ExpressRoute Customer Connectivity Options
Customers can connect to Expressroute using: 1. Virtual cross-connection to Expressroute
through the co-location providers ethernet-exchange
2. Point-to-point Ethernet connection through a service provider
3. IPVPN connection through a MPLS provider
MPLS providers typically offer managed Layer 3 connectivity and will address the VLAN mapping and routing for Expressroute.
Layer 2 providers will typically provide VLAN mapping for Customers. Customers are responsible for setting up routing with Expressroute.
Primary
Circuit
Secondary
Circuit
Partner Edge
Microsoft Edge
CTAG: 20 Traffic to public IP addresses in Azure
CTAG: 30 Traffic to Virtual Networks (VNets)
CTAG: 10 Traffic to Office 365 Services
Partner Edge
Microsoft Edge
ExpressRoute VLAN Scenarios With Layer 2 Providers (802.1Q)
802.1Q VLAN Handoff To CustomerSome Customer Edge devices does not support QinQ VLANS. The layer 2 provider will provide a VLAN mapping service to provide 802.1Q handoff to customers. Customer can terminate the provider layer2 connection on a single device or device pair.
802.1ad (QinQ) VLAN Handoff To CustomerIn this example, the provider swaps the outer tag on the carrier network. The Inner tag assigned on the ExpressRoute circuit can remain unchanged or remapped by the provider. Customer needs to configure a BGP Pair for each routing domain (Private, Public and Microsoft) for SLA with ExpressRoute
ExpressRoute VLAN Scenarios With Layer 2 Providers (802.1ad)
Azure Portal Set-up For VLAN and Routing Configuration
Partner Spotlight : Barracuda Networks
Accelerating Your Journey to a Safe CloudBarracuda Security Solutions for Microsoft Azure
+
Today’s Discussion
It’s all about securing workloads in Microsoft Azure
• Moving applications to the cloud
• Building out data center capacity
• The logistics of remote connectivity of workloads in the cloud
• How to ensure security across common scenarios
Migrating to the Cloud?
Prepare for These Common Challenges:
• Security, privacy, and compliance concerns
• Managing mission-critical or development workloads
• Complexities of migrating your physical data center to Microsoft Azure
• Vulnerabilities to mobile and Bring-Your-Own-Devices, web 2.0 applications, and remote network users
You define
controls
and security
IN the Cloud
Your company
Customer’s Responsibility in a Shared Security Model
Azure takes care
of the Security
OF the Cloud
Azure Platform
Physical Infrastructure
Network Infrastructure
Virtualization Layer
Customer Applications & Content
Network Security
Identity & Access Control
Operating Systems / Platform
Data Encryption
Barracuda Security Solutions for Microsoft Azure
Accelerating Your Journey to a Safe Cloud
Security
Ensure users, data and applications are protectedEmploy multi-layer security, archiving, and data protection technology
Optimize user productivityImprove company-wide collaboration and minimize employee downtime
Compliance
Seamless, unified experienceContinue the same level of familiarity with the technologies as workloads are moved from on-premises to the cloud
Migration
Maximize Azure investmentOvercome potential adoption challenges to realize the value of your investment faster
Control
Barracuda NextGen Firewall F
Cloud Security Threats
Community gaps
Exploited system vulnerabilities
Remote access
Barracuda NextGen Firewall F on AzureThe Ultimate Protection Against Network Security Threats
Networking &
Infrastructure
IPS/IDS
Integrated intrusion prevention
URL filtering
User and application aware
IPsec VPNs secure remote connectivity
Dynamically scales with your network
Networking Protection
Multi-Tier Architecture
Build secure multi-tier architecture in Azure to keep a level of segregation between tiers
VPN Tunnels
Unlimited site-to-site VPN tunnels to connect two networks protected byF-Series Firewalls
Traffic Control
Inbound/outboundtraffic control while providing IPS/IDS functionality
Access to Resources
Access to resources in Azure (unlimited client-to-site VPN, SSL VPN)
ExpressRoute
Visibility and control on all traffic coming across the ExpressRoute connection
Most Common Use Cases
Use Case – Multi-Tier Deploying Multi-Tier Architecture in Azure
Secure remote access for mobile users
• Dedicated VPN clients available for Windows, Mac, Linux
• Clientless SSL VPN
• Multiple supported protocols: TINA, IPsec, L2TP, PPTP
Multiple site-to-site connectivity
• VNET-to-VNET connectivity
• Automatic user ID synchronization across sites
• Supports multiple ISPs
• Built-in WAN optimization
• Full ExpressRoute support
Comprehensive security enforcement
• Internal and cross-region network segmentation
• Access control based on user and instance identity
• Full traffic visibility and monitoring
Use Case – Multi-Tier
Best PracticesMulti-Tier Architecture
Controlling traffic between VNETs• Provide full visibility into traffic using IP,
port, application, or protocol• Control traffic between VNETs (block, allow,
or re-direct)
Use Case – Multi-Tier
Preventing direct connections through a reverse-proxy architecture• Terminate all connections at a proxy• Decrypt all data• Inspect for any malicious content or
embedded attacks
Improve VPN ConnectivityOvercoming IPsec Limitations
• Powerful extensions to standard IPsec tunnel management
• TINA (Transport Independent Network Architecture) developed exclusively by Barracuda
• The TINA protocol allows use of TCP, UDP, and ESP for high speed VPN connections
• Substantially improves the VPN connectivity
Use Case – Multi-Tier
Use Case - ExpressRoute Protecting Microsoft Azure ExpressRoute
Security
• Encrypts traffic across ExpressRoute
• Prevents direct traffic flow between applications and the cloud
• Inspects and logs all inbound and outbound traffic for reporting purposes
Reliability
• VNET-to-VNET connectivity
• Automatically sets up a VPN for secondary connection in the event of failure
• Allows multiple ExpressRoutes; one primary and one secondary
Intelligence
• Prioritizes traffic from any specified application and sends it via a configured link
• Blocks specific application traffic from going to and from Azure
• Allows or denies certain users based on credentials and access privileges
Use Case – ExpressRoute
Best PracticesSecuring ExpressRoute
Preserving Low LatencyMaintain a quality of service based off of protocol and application to achieve equal or better bandwidth than other applications
Controlling Traffic AccessMonitor and control traffic based on IP addresses, ports, protocol, user identity, AD security groups, FQDN, Application Detection, and RPC portmapperinformation
Protecting Networks from MPLS FailureSwitch to an internet baseline in the event of MPLS router or line failure, and then automatically use that particular connection
Enabling End-to-End Line SecurityEncrypt traffic from end-to-end and send it through the system, while maintaining full control over keys and algorithms
Use Case – ExpressRoute
User and Application AwarenessBarracuda NextGen Firewall F Use Case – ExpressRoute
Next Steps and Resources
1. Learn moreFor a rich library of resources, visit the Barracuda Azure website www.barracuda.com/azure
2. Contact [email protected]
3. Start a 30-day free trial
4. Ask for a demo and proof-of-concept
AskTryContactLearn
Videos Technical Briefs
Deployment Architecture Diagrams
Open Q&A
Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays