Brk30176 enterprise class networking in azure

Agenda
Network infrastructure
Four pillars of Azure Networking
Multi-access edge compute tech preview

Our mission
To provide the most secure, trusted, reliable
and performant network for your
workloads, delivered and managed from
the Intelligent Cloud to the Intelligent Edge

Microsoft global network
54 Azure
regions 130k+ miles of fiber +
subsea cables 160+edge
sites 500+network
partners 20k+peering
connections
Region
Edge
Network

Connecting Azure regions to the global network
Edge
Enterprise peering
P R I V A T E
Internet peering
P U B L I C
Microsoft Wide Area Network
Regional Gateways
Availability Zone
D C
D C D C
Availability Zone
D C
D C D C
Availability Zone
D C
D C D C
Azure Region

Microsoft Global Network (WAN)
The Azure Network Edge
Traffic to and between DCs
WAN
core routers
Azure
ExpressRoute
Azure Front Door,
CDN, WAF
Azure Network Edge
Internet and private network

Modernizing your
network
Azure
Networking
services

Azure Peering Service
Monitoring
Peering service platform
Operational
insights
MS Peering
partner
Internet
Customer
Enterprise grade
Internet connectivity
User telemetry RADAR
Connectivity partners
•
•
•
Telemetry platform
•
•
•
Route Anomalies Detection and
Auto Remediation (RADAR)

Delivering optimal public Internet
connectivity to Microsoft Cloud
PREVIEW
BRK2144 | 11/05 (3:30 - 4:15 PM) | Selecting the correct network connectivity service for your workloads

Azure Virtual WAN
Region 2
Region 1
Region 3
Datacenter
Point-to-site VPN
ExpressRoute
VNet
VNet
VNet
Corp HQ
Branch Branch Branch Branch
VNet
• ExpressRoute Integration
• Point to site VPN Integration
• Path selection from branch
GA
PREVIEW
• Hub/Any-to-any connectivity
• Azure Firewall integration
Provides optimized and automated
branch connectivity to, and
through Azure
BRK3138 | 11/06 (9:15 - 10 AM) | Global transit network architectures with Azure Virtual WAN

ExpressRoute
Fast Path
• Improved throughput, packets/sec, connections/sec,
number of flows
ExpressRoute Site
Customer
Cage
Microsoft
Cage
GA
PREVIEW
MACsec encryption
• Secures physical links at ExpressRoute sites
• Bring-your-own-key, store keys in Azure Key Vault
• Available on ER Direct
ExpressRoute Local
• No egress charges from Azure to local ER site
Continued expansion of ER locations
BRK3172 | 11/06 (3:30 – 4:15 PM) | Advanced networking best practices with Azure ExpressRoute
MACsec

SKUs
Aggregate
throughput
P2S
connections
IKEv1/v2
VpnGw1 650 Mbps 250 IKEv1+IKEv2
VpnGw2 1 Gbps 500 IKEv1+IKEv2
VpnGw3 2.5 Gbps 1000 IKEv1+IKEv2
VpnGw4 5 Gbps 5,000 IKEv1+IKEv2
VpnGw5 10 Gbps 10,000 IKEv1+IKEv2
VPN
PREVIEW
PREVIEWAAD auth + MFA
Azure VPN Client (Windows App)
• OpenVPN protocol
• Native AAD authentication with MFA
• Client-side Diagnostics, Logs, & Metrics
High throughput VPN – 10Gbps
• New Azure VPN gateways – VpnGw3/4/5
• Up to 10 Gbps aggregate
• Up to 10,000 P2S connections
IKEv1 + IKEv2 on VpnGw1-5
• IKEv1 on new VpnGw SKUs (1 ~ 5)
• Multiple IKEv1 S2S tunnels
• IKEv1 and IKEv2 on the same VPN gateway
VPN gateway packet capture
• With 5-tuple packet filter
• ETW or PCAP formats
Custom IKE traffic selectors
PREVIEW
GA
GA
COMING SOON
BRK2144 | 11/05 (3:30 - 4:15 PM) | Selecting the correct network connectivity service for your workloads

IPv6 in Azure VNETs
THR3111 | 11/05 (4:20 - 4:40 PM) | GA launch of IPv6 for Azure VNETs
"We've grown to value and trust the stability and
reliability of IPv6 connectivity in Azure. As we look to
expand our cloud-based portfolio and offer additional
services for the 65 million endpoints we manage
globally, IPv6 capability is a key enabler for adapting
our IoT framework to the cloud.”
Greg Richards, SVP, Technology & Research, Itron
Native IPv6 all the way to the VMs
Private IPv6 addresses for VMs and NICs
Dual stacked IPv4/IPv6 VMs for max flexibility
GA
Internet
IPv6 User-
Defined
Routes
IPv6
NSG
Rules
IPv6
Load
Balancer
IPv6
IPv6
IPv4
Windows VM
Front-End
Subnet
IPv6
NSG
RulesApplication
Subnet
DDoS Protection
IPv6
IPv4
Linux VM
Azure Virtual Network Dual Stacked (IPv4+IPv6)

Azure
Networking
services
Modernizing your
network

Achieving Zero Trust with Azure Networking
Cloud-native network security services
Defense-in-depth
+
Software Defined Network (SDN)
Virtual
Networks
Network
Security Groups
User Defined
Routes
Load
Balancer
Azure
Firewall
Azure DDoS
Protection
Azure Web
Application Firewall
Azure
Private Link

Azure Private Link
Highly secure and private connectivity to Azure services
Private access from VNets,
peered VNets and
on-premises
In-built Data
Exfiltration Protection
Predictable private IP
addresses for PaaS
resources
Unified experience across
PaaS, Customer Owned
and marketplace Services
Private Link for Azure Storage, SQL DB and data exfiltration protection
PREVIEW
BRK3168 | 11/07 (9:15 - 10 AM) | Delivering services privately in your VNet with Azure Private Link
Azure PaaS and
marketplace services
ER Gateway
Private
endpoint
10.0.0.5
Deny Internet
On-premises
Virtual Network (10.0.0.0/16)
Private
Link
Storage SQL DWSQL Marketplace

Azure Firewall Manager
Central deployment and configuration
•
•
Automated routing
•
Advanced security with 3rd party SECaaS
•
•
PREVIEW
Virtual Network support, Split routing
•
•
ROADMAP
Central network security policy and route management
for globally distributed, software-defined perimeters
Global admin
Global policy
Azure region 1 Azure region N
Azure
Firewall
Secured
vHub
Azure
Firewall
Secured
vHub
Local admin
HQ/
branch
Virtual WAN
ER/VPN
Datacenter
Virtual WAN
ER/VPN
End-user
devices
VPN
VNet
3rd party
partners
3rd party
partners

Azure Firewall Manager
Trusted security partners
Use Azure as your Secured Internet Edge
Use best-in-breed third-
party Security-as-a-
Service (SECaaS)
partners with Azure
Firewall Manager
Protect VNet-to-
Internet or Branch-to-
Internet user traffic
Combine with Azure
Firewall for layered
security
Breakout Office 365
traffic directly at branch;
filter rest of Internet
traffic using SECaaS on
Azure
BRK3170 | 11/07 (3:30 - 4:15 PM) | Building and Managing distributed micro-perimeters with Azure Firewall
AVAILABLE IN PREVIEW COMING SOON

BRK3185 | 11/06 (2:15 - 3 PM) | Securing your cloud perimeter with Azure Network Security
Azure Bastion
Secure and seamless RDP and SSH access to your
virtual machines
GA
RDP/SSH to your workload using HTML5 standards-
based web-browser, directly in Azure Portal
Resources can be accessed without public IP
addresses
Supported Azure resources include VMs, VM Scale
Sets, Dev-Test Labs
Azure Portal
Remote Protocol
(RDP, SSH, et al)
SSL
443,
Internet
AzureBastionSubnet
Port: 3389/22
“AzureBastionSubnet”
Target VM Subnet(s)
Private IP
Azure VM
Azure VM
Azure VM
Customer’s Virtual Network
SSL
Azure Bastion

Azure WAF
BRK3171 | 11/08 (9:15 - 10 AM) | Using Azure Web Application Firewall to protect your web applications and web APIs
Azure Global WAF
(Front Door)
Azure Regional WAF
(Application Gateway)
Uniform policy
WAF policy
PaaS, IaaS and on-premises backends
OWASP rules
Bot management
Custom rules
Microsoft threat intelligence
•
•
Site and URI path specific WAF policies

Geo filtering on regional WAF

PREVIEW
Unified WAF offering
•
Web Application Firewall

BRK3169 | 11/07 (2:15 - 3 PM) | Deliver highly available and secure web applications with Azure Application Gateway and WAF
Application Gateway
Azure Kubernetes Services (AKS) Ingress Controller
•
•
Azure Key Vault integration
•
Enhanced Metrics
•
GA
Wildcard listener
•
COMING SOON
Application
Gateway
Azure ARM
Azure Key Vault
Azure Kubernetes
Services (AKS)
AKS API
server
AG Ingress
Controller
Pods
Application Gateway routing rules
Application Delivery Controller

BRK2146 | 11/07 (11:45 AM - 12:30 PM) | Taking applications and content to the edge
Azure Front Door
Global entry point for high performance, high
availability web applications
GA
Single or multi-region app and API acceleration

Load balancing at the Edge and fast-failover

Integrated SSL, WAF and DDoS

Single region apps
Network Edge POP
Azure region
www.contoso.com
Global
Network
/*
/search/*
Accelerate
Multi-region apps
Network Edge POP
Azure region 1
www.contoso.com
Global
Network
Accelerate
Azure region 2
Failover

Azure CDN
Cost efficient, reliable global content distribution
GA
Reduced Azure egress pricing
•
PREVIEW
Easy to use and highly customizable rules engine
•
•
Azure Region
On-premise/external
Media services
Storage
App service
Edge delivery partners
www.contoso.com
vod.contoso.com
API
Mobile
Media
IoT
Updates
Files

Internet Analyzer
Easily measure and compare end user
experience for your application
Cloud migration
Measure the impact of moving the web app to cloud
PREVIEW
CDN and app acceleration
Measure the performance impact of Front Door and CDN
Perform A/B measurements
Measure end user performance of two versions of app
or impact of multiple region deployments
Your real end users,
your customers around the globe
2
Configure your
tests
3
Get your global
perf scorecards
1 Deploy internet
analyzer client
Delivered with
your app
Your current
application
architecture
“What-if”
application
architecture
The
internet
A C T I V E
P E R F O R M A N C E
M E A S U R E M E N T S
Test
configuration
Measurement data

Azure monitor for networks
Traffic analytics – accelerated processing
 From hours to minutes, faster insights into application and
network activity
GA
Enhanced troubleshooting
• Improved connectivity checks for load balancers, global peering,
cross region connectivity, User Defined Routes, NVAs, ExpressRoute
Monitoring and troubleshooting for cloud and
hybrid networks
Network insights
• Single health console for the entire cloud network
• No agent/configuration required
PREVIEW

Brk30176 enterprise class networking in azure

Brk30176 enterprise class networking in azure

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Brk30176 enterprise class networking in azure

Similar to Brk30176 enterprise class networking in azure (20)

Recently uploaded

Recently uploaded (20)

Brk30176 enterprise class networking in azure