Are you looking to deploy a more complex structure of resources in Azure, all secured and segregated by precise boundaries while closely communicating with each other? Following the arrival of the advanced IaaS networking features in Azure (network security groups, routing, multi-NIC, …) and their maturation in the last months, here is the moment for you to find a modern architectural vision of networking in Azure, with focus on multi-VNET / VPN topologies, and based on ARM deployment model.
2. 1 Business scenario
4
Scripting and automation
5
Technical solution
Demo
2 Networking services
Architecture and topologies3
6
3. Cellenza : des experts reconnus
dans le Cloud, DevOps, Intégration, …
10
Azure
C#
ALM
SQL Server
Windows Client
1 4
Des publications :
• Livres blancs (Cell’Insights)
• http://www.cellenza.com/cellinsights
• Articles dans Programmez!
• Blog Cellenza
• http://blog.cellenza.com
• Organisation de TechEvent
• Speakers lors de conférences Microsoft
• TechDays, Azure Camp, …
4. Marius Zaharia
Senior Cloud Architect
Efficient
& Visionary
“Manage
Teams Architectures
Understand
ComplexInternational
+ Mon expérience
+ Mon expertise
IDÉATION CONCEPTION WIREFRAMES
Marius apporte aux clients son expertise et expérience dans l’analyse, conception et
développement d’applications complexes d’entreprise et d’intégration applicative et
d’infrastructure basées principalement sur des technologies Microsoft.
Son profile lui permet d’aborder les architectures Cloud Computing, SOA, hybridation
et urbanisation des SI dans des missions polyvalentes solution/développement et IT
pro.
Marius travaille également dans les activités de Business Development et avant-vente
de Cellenza, étant P-SELLER Azure (en partenariat avec Microsoft).
Dans le monde communautaire, Marius est impliqué dans l’organisation d’AZUG FR –
Azure User Group France et des conférences comme Global Azure Bootcamp, MS
Cloud Summit, des meetups réguliers avec la communauté Azure etc.
DevOps
P-SELLER
Azure
5. Introduction
“Azure VNET to VNET VPN, across regions and data centers: not so
complicated”
Connection between multiple Azure Virtual Networks, in particular a VNET-
to-VNET-to-VNET relationship
All based on PowerShell scripting and classic deployment in Azure
Azure moving to ARM deployment model and the new (modern)
portal
Migration of existing features to ARM
Migration to the new portal
New innovative features
7. Business Case
Multiple environments communicating with each other
In the same Azure region
Across 2 regions
With the on-premises environments
Implement network connectivity between the environments
CONCRETE EXEMPLE: SQL Server AlwaysOn distributed cluster
1 master replica in Dublin
1 secondary replica (synchronous) in Dublin
1 secondary replica (asynchronous) in Amsterdam
10. Azure Networks
Virtual Network: logical isolation of the Azure cloud dedicated to your subscription
Subnet: range of IP addresses in the VNet, divided for organization and security
Public IP: allow Azure resources to communicate with Internet and Azure public-facing services
Network Interface Card: interconnection between a Virtual Machine (VM) and the underlying
software network
VPN Gateway: Azure service used to send network traffic between Azure virtual networks and
other locations
ExpressRoute: lets you extend your on-premises networks into the Microsoft cloud over a
dedicated private connection facilitated by a connectivity provider
Network Security Group: allow you to control inbound and outbound access to network
interfaces, VMs, and subnets, based on a list of access control list (ACL)
User Defined Routes: specify the next hop for packets flowing to a specific subnet
IP Forwarding: Azure setting for a VM allowing it to receive traffic addressed to other
destinations
Virtual Appliance: VM in your VNet that runs a software based appliance function, such as
firewall, WAN optimization, or intrusion detection
11. Azure Networking: VNET Peering
VNet peering: a mechanism that connects two VNets in the same region through the Azure backbone network
Once peered, the two virtual networks appear as one for all connectivity purposes
Low-latency, high-bandwidth connection
Can connect ARM-to-ARM Vnet, or ARM-to-Classic
Requirements and key aspects
in the same Azure region.
non-overlapping IP address spaces.
no derived transitive relationship
Peering two different subscriptions possible, but under conditions*
Peering between ARM and Classic, under conditions*
No Classic to Classic
Networking bandwidth cap based on VM size still applies
13. Azure networking: Traffic Manager
Controls the distribution of user
traffic for service endpoints in
different datacenters
uses DNS to direct client requests
Features
Traffic-routing methods
Priority
Weighted
Performance
Nested Traffic Manager profiles
Monitoring of endpoint health
Automatic failover
14. Azure Networking: Application Gateway
Application Gateway
Application Delivery Controller (ADC)
as a service
layer 7 load balancing
Features
Web Application Firewall (Preview)
HTTP load balancing
Cookie-based session affinity
SSL offload; end to end SSL
URL-based content routing
Multi-site routing (up to 20)
Websocket support
Health monitoring
Advanced diagnostics
15. Load Balancer differences
Azure Load Balancer works at the transport layer (Layer 4 in the OSI
network reference stack). It provides network-level distribution of
traffic across instances of an application running in the same Azure
data center.
Application Gateway works at the application layer (Layer 7 in the
OSI network reference stack). It acts as a reverse-proxy service,
terminating the client connection and forwarding requests to back-
end endpoints.
Traffic Manager works at the DNS level. It uses DNS responses to
direct end-user traffic to globally distributed endpoints. Clients then
connect to those endpoints directly.
17. Azure Networking - Cross-Premises Connections
Cross-premises connection options :
Site-to-Site – VPN connection over IPsec (IKE v1 and IKE v2). This type of
connection requires a VPN physical or virtual (RRAS) device.
Point-to-Site – VPN connection over SSTP (Secure Socket Tunneling
Protocol). This connection does not require a VPN device.
VNet-to-VNet – This type of connection is the same as a Site-to-Site
configuration. VNet to VNet is a VPN connection over IPsec (IKE v1 and IKE
v2). It does not require a VPN device.
Multi-Site – This is a variation of a Site-to-Site configuration that allows you
to connect multiple on-premises sites to a virtual network.
ExpressRoute – ExpressRoute is a direct connection to Azure from your
WAN, not over the public Internet. See the ExpressRoute Technical
Overview and the ExpressRoute FAQ for more information.
19. On-premises
NetworkVNET 1
Simple Hybrid Topology (point-to-point)
VPN IPSec
G
W
G
W
VNET – S2S IPSec VPN
to On-premises
Site-to-Site – VPN
connection over IPsec
(IKE v1 and IKE v2).
This type of connection
requires a VPN physical
or virtual (RRAS) device.
20. On-premises
NetworkVNET 1
Simple Hybrid Topology (point-to-point)
VPN IPSec
G
W
G
WExpressRoute
VNET – S2S IPSec VPN
with on-premises
VNET – ExpressRoute
With on-premises
Direct connection to
Azure from your WAN,
not over the public
Internet.
21. VNET 2VNET 1
Simple Cloud-Only Topology
VPN IPSec
G
W
G
W
VNet-to-VNet –
This type of connection
is the same as a Site-to-
Site configuration.
It’s a VPN connection
over IPsec (IKE v1 and
IKE v2). It does not
require a VPN device.
(executed over
MS Backbone transport
layer)
22. VNET 2VNET 1
Simple Cloud-Only Topology
G
W
G
WExpressRoute
VNet-to-VNet –
This type of connection
is the same as a Site-to-
Site configuration.
It’s a VPN connection
over IPsec (IKE v1 and
IKE v2). It does not
require a VPN device.
(executed over
MS Backbone transport
layer)
23. VNET 2VNET 1
Simple Cloud-Only Topology
Peering
VNET – peering
to VNET
Transport
Backbone intra-
datacenter
25. VNET 2
Complex Topologies
VNET 4 VNET 5
VNET 3
VNET 1
« HUB & SPOKE »
• Configure simple
bidirectional
communications between
the master VNET end the
satellite VNETs.
• Any of the direct
connectivity options
described before (IPSec VPN,
ExpressRoute if the case, or
Peering) can be used here.
26. VNET 2
Complex Topologies
VNET 3
VNET 1
« DAISY CHAIN »
• Transitivity: the VNET 1 will
communicate with the VNET 3 via
specific routing configuration set
up in the VNET 2
• advantage : getting profit of a
connection already established
for the usage of another VNET
• inconvenient: if the VNET 2 (or its
gateway) loses its connectivity, it
will also affect the connectivity
between the lateral VNETs.
27. VNET 1
Complex Topologies
VNET 2 VNET 3
VNET 4
« (FULL) MESH »
• Let you master the direct
connectivity between various
VNETs, without having
dependencies on intermediate
VNETs or their gateways
• much more work to getting it
done
• it’s up to you to decide which
VNET communicate with which
one
Do it in Azure?
• VPN gateways & bidirectional
connections
• VNET peerings
29. Technical Solution
The solution is composed of 3 main segments:
1. VNET Peering between VNET2 and VNET1 (both VNETs being in the
same region)
2. Site-to-Site VPN connection between VNET1 (Dublin) and VNET3
(Amsterdam), with VPN Gateways deployed in both VNETs
3. Transitivity for the VNET2 to VNET3 through the VPN Gateway 1.
This connection transitivity will be configured in the VNET Peering
settings directly
30. Technical Solution - Diagram
VNET 3VNET 1
VPN IPSec
G
W
G
W
VNET 2
DC
DUBLIN
DC
AMSTERDAM
Master
(Primary)
Replica
Secondary
Replica 1
Secondary
Replica 2VNET 4