2. AZURE
Karim Vaes
Former Azure MVP,
Now TSP AppDev @ Microsoft
or …
“Cloud Solution Architect with a focus on
Application Development on Azure”
@kvaes https://blog.kvaes.be/
17. AZURE
Service Endpoints & Service Injection
Injection
Dedicated PaaS Services,
like for example
App Service Environment
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview
https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services
21. AZURE
What IP will be seen externally?
Scenario Method Protocols Description
VM with own
PIP
SNAT only TCP, UDP, ICMP,
ESP
Azure uses the public IP assigned to the IP configuration
of the instance's NIC. The instance has all ephemeral
ports available.
VM behind LB SNAT with PAT
using LB PIP
TCP, UDP Azure shares the public IP address of the public Load
Balancer frontends with multiple private IP addresses.
Azure uses ephemeral ports of the frontends to PAT.
VM without
PIP or LB
SNAT with PAT
using shared
PIP
TCP, UDP Azure automatically designates a public IP address for SNAT,
shares this public IP address with multiple private IP addresses
of the availability set, and uses ephemeral ports of this public
IP address. This is a fallback scenario for the preceding
scenarios. We don't recommend it if you need visibility and
control.
22. AZURE
Gotcha of the day
Using an Internal Standard Load Balancer?
• Assign a PIP per node
or
• Add the nodes to a External Load Balancer
with “dummy” rules
Or the nodes won’t be able to reach the outside
world…
23. AZURE
Load Balancer Trivia
Using an External Standard Load Balancer
“Secure by Default”
“Closed by default for public IP and Load Balancer endpoints and
a network security group must be used to explicitly whitelist for
traffic to flow!”
33. AZURE
Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP Addr
Trusted VM IP
Dest IP Addr:
Untrusted VM IP Payload
Src Port:
X
Dest Port:
Y
Src IP Addr
Untrusted VM IP
Dest IP Addr:
Trusted VM IP Payload
Src Port:
Y
Dest Port:
X
34. AZURE
Flow Symmetry – Single NIC
https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/
35. AZURE
Flow Symmetry – Single NIC
NIC
NIC
NIC
NIC
Src IP Addr
Trusted VM IP
Dest IP Addr:
Untrusted VM IP Payload
Src Port:
X
Dest Port:
Y
Src IP Addr
Untrusted VM IP
Dest IP Addr:
Trusted VM IP Payload
Src Port:
Y
Dest Port:
X
38. AZURE
Key Takeaways
• Floating IP = Load Balancer IP
• Dual NIC = Complex
• Require SNAT
• Test NVA response to probes
• Single NIC (recommended)
• No SNAT needed
41. AZURE
What to remember?
• Understand cost drivers
• Design accordingly
• Network is mostly <1% of
the cost
42. AZURE If you are reading this…
You made it to the end!
(withoutfallingasleep)
43. AZURE
Surely there must be...
questions
… which I can answer for you!
http://feedback.expertslive.nl/
44. AZURE
Do you want to gain more
knowledge about Microsoft
technology?
The Future Ready Skills program
offers online courseware, online
labs, live Q&A’s and expert
sessions, so you can acquire
your official Microsoft Certificate
in the most efficient way.
For more information:
aka.ms/frsblog
FUTURE READY
SKILLS
45. AZURE
Next Session 17:30 – 18:30
Windows 10 is not your Daddy’s
Windows anymore… Security
improvements in the last builds
Kim Oppalfens & Tom Degreef