Flash card architect network infra in azure

© 2019 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Flash Card – Architect
networking Infra in Azure
Prepared by Lai

VPN Gateway
Site to Site
connection
Point to Site
connection
Network to
Network
connection

VPN Gateway Sizes

HA VPN Gateway – Active/Standby

HA VPN Gateway – Active/Active
Use BGP
routing
protocol

HA VPN Gateway
Express Route
Failover
Zone Redundant
Gateways
Alternative configure
VPN Gateway (failover
path)
Deploy VPN & Express
Route Gateway in diff
AZ

Azure CLI Command
Create Virtual
Network
Az network vnet create
Create Subnet Az network vnet subnet create
Create local
network gateway
Az network local-gateway create
Verify Virtual
network
Az network vnet list --output table

Azure CLI Command
Verify network
local gateway
Az network local-gateway list
Create virtual
network gateway
Az network vnet-gateway create

Express RouteDedicated &
Private
Reliable
Latency
minimal
Layer 3
connectivity Build in
redundancy
Connectivity to
Microsoft Cloud
Services
Use BGP
Don’t
support
HSRP

ExpressRoute Connectivity Model

Co-location at Cloud
Exchange
Point-point Ethernet
connection
Co-located provider
(ISP) to Microsoft
Cloud
On-prem to Microsoft
Cloud
Any to Any Network
MPLS(private WAN) to
Microsoft Cloud

How it’s work? Work with Express Route Partner
Private wire

Express Route Support Two Peering
To connect Azure PaaS (0365, Dynamic 365)
To connect Azure IaaS & PaaS services deployed inside Azure virtual network Access via private IP

Express Route Use Case
Low latency connectivity
Accessing high volume system
in the cloud
Consuming Microsoft Cloud
Services (large user)
Migration
Security - data cannot traverse
over public internet
Express Route Benefit
Predictable performance
Data Privacy (secure use MPLS
WAN link)
High throughput, low latency
connection
Availability

Security

Network Security
Group (NSG)
Filter network traffic
Assigned to network
interface/subnet
stateful
Rule with lower priority
process first
Deny rule takes
precedence if it process
first

Azure CLI
Create NSG Az network nsg create
Create
Application
Security group
Az network asg create

Secure Network Access to PaaS
Use Virtual Network
Service Endpoint
Direct connection to
Azure Services
Secure resources to your
virtual network
Services remain on the
Azure backbone

Azure Service Endpoint
availability to:
Azure Storage
Azure SQL Database
Azure Key Vault
Azure Service Bus
Azure Data Lake
How to do?
1. Turn off public access to the service
2. Add the service endpoint to a virtual
network

Azure Service Endpoint
By default not
accessible from on-
prem network. To allow
acess from on-prem,
use NAT IP

Virtual Network Peering

Virtual Network Peering
Traffic routed through
Azure Network
Use only private IP
(private)
Connect virtual network in same azure regionVirtual network peering
Global Virtual network
peering
Connect virtual network in different azure region

Virtual network peering
Reciprocal connection
(need to create on each
virtual network)
Cross subscription
support
Non transitive
(A – B – C)
Gateway transit (on-
prem)
Non overlapping IP
address

Azure CLI
Create virtual
network peering
Az network vnet peering create
Check network
peering
Az network vnet peering list

Azure Traffic Manager

Azure Traffic
Manager
Act as DNS Load Balancer. Provides DNS load balancing
to application to distribute traffic
Routing methods
Weighted routing Performance
routing
Geographic
routing
Multi value
routing
Subnet routing priority routing

Weighted routing
Distribute traffic
based on weight

Performance
routing
Send user to the
endpoint that has
best performance
Use Internet
latency table

Geographic
routing
Directed to
endpoint based
on where their
DNS query
originated
Europe-> Europe
China -> China

Multi value
routing
Subnet routing
Priority routing
Multiple healthy
endpoint
Map based on set
of IP address
range to endpoint
Contain priority list of
service endpoint

Azure CLI
Create Traffic
Manager Profile
Az network traffic-manager profile create
Create Traffic
Manager Endpoint
Az network traffic-manager endpoint
create

Azure Load Balancer

Azure Load Balancer
Distribute traffic across multiple VM
Scale application
Create HA for VM & services
Availability Set
Availability
Zones
5 tuple hash (default
distribution modes)

Availability Set
Protection for hardware
failures within datacenters
Use to isolate VM
resources from each other
when deploy
Run across multiple
physical server, computer,
rack, storage & network

Availability zone
Protection from entire
datacenter failure
Group of 1 or more datacenter
Independent power, cooling &
networking
Different physical location
within same region

Basic Load Balancer Standard Load Balancer
Port Forwarding Health Probes
Automatic reconfiguration
Diagnostic through Azure Log
Analytic for public facing load
balancer
Outbound connection through
source network address
translation (SNAT)
HTTPS health probes
Availability Zones
Diagnostic through Azure
Monitor for multi dimensional
metric
Ha ports, Outbound rules

Five Tuple Hash (Distribution Modes)
Default mode
Directed to different
vm for each session

Source IP affinity (Distribution Modes)
Session affinity
Request from
specific client are
always sent to the
same VM behind the
load balancer
Example: Remote
Desktop Gateway,
Media Upload

Azure CLI
Create new
public ip
Az network public-ip create
Create Load
Balancer
Az network lb create
Monitor status
using LB
Az network lb probe create

Public & Internal LB

Application Gateway

Application Gateway
Application Gateway routes traffic to a pool of
web servers based on the URL of a request
Use round robin
approach

Routing Traffic
Path based routing
Send request with
different path in the
URL to different pool
of back end server
Example:
/video/*-> VM handle
streaming
/Images/* -> VM
handle image

Routing Traffic
Multi site routing
Register multiple DNS
name (CNAME) for
the IP address of
Application Gateway

Web Application
Firewall (WAF)
Handle incoming request before they
reach a listener
• SQL injection
• Cross site scripting
• Command injection
• HTTP request smuggling
• HTTP response splitting
• Remote file inclusion
• Bots, crawlers & scanners
• HTTP protocol violation & anomalies

Routing

System Routes
None: Any traffic routed to this
hop type is dropped and doesn't
get routed outside the subnet.

Azure CLI
Create route
table
Az network route-table create
Create custom
route table
Az network route-table route create

NVA
Network Virtual
Appliance
• Firewall
• WAN
optimizer
• Application
delivery
controllers
• Routers
• Load balancer
• IDS/IPS
• proxies
Available in
marketplace
Control flow of
network traffic
by controlling
routing

IP Addressing
Reserve IP .1, .2, .3 and last IP

Hybrid Networking Capability Matrix

Designing Hybrid

Hub & Spoke
Hub = Central
Location
Spoke = Branch
1
Spoke = Branch
2
Virtual
network
peering

Hub & Spoke

Express Route

Secure Network Design Azure Virtual network
Azure DNS
Azure Application Gateway
Azure Load Balancer
Perimeter network
NACL NSG
Route
Control
Network Virtual
Appliance
Express Route

Hub & Spoke
Security
NSG
Perimeter
network
Network
Virtual
Appliance
Express Route
Azure Firewall

Azure Firewall
Stateful network firewall
Policy enforcement
Enforce across virtual
network, region &
subscription
Integrate with Azure
Monitor Logs
Log stored in Azure Storage Account,
steamed to Azure Event Hub or sent to
Azure Monitor Log

Monitoring

Azure Network
Watcher
Central place to diagnose the health of Azure
network
Monitoring
tools
Diagnostic
tools
Topology
Connection
Monitor
Network
Performance
Monitor

Topology
Generate a graphical display of Azure virtual network , its
resources, its interconnections, and their relationships with
each other.

Connection
Monitor
to check that connections work between Azure
resources.
Network
Performance Monitor
enables you to track and alert on latency and packet
drops over time. It gives you a centralized view of your
network
Diagnostic
tools
IP Flow verify
Next Hop
Packet capture
Security Group
View
Connection
Troubleshoot
VPN
Troubleshoot

IP Flow verify Next Hop
Security Group
View
tells you if packets are
allowed or denied for
a specific virtual
machine
you can determine
how a packet gets
from a VM to any
destination
displays all the
effective NSG rules
applied to a network
interface

Packet capture
Connection
Troubleshoot
VPN
Troubleshoot
to record all of the
packets sent to and
from a VM
to check TCP
connectivity between
a source and
destination VM
to diagnose problems
with virtual network
gateway connections

Thank You

Flash card architect network infra in azure

More Related Content

What's hot

Similar to Flash card architect network infra in azure

More from Yoong Seng Lai

Recently uploaded

Flash card architect network infra in azure