Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Networking deep dive
Similar to Networking deep dive (20)
Recently uploaded
Recently uploaded (20)
Networking deep dive
- 1. Networking Deep Dive Design your Azure network in a secure way!
- 3. Network Journey Basic Virtual Network in Azure Hybrid Connection with VPN Hybrid Connection with Express Route Secure Network
- 5. VNET Basics Design and deploy your basic VNET
- 6. It all starts with a…. Azure subscription
- 7. Resource group It all starts with a….
- 8. Virtual Network Resource group It all starts with a….
- 9. Resource group Virtual Network It all starts with a….
- 10. Azure subscription Resource group Virtual Network NSG NSG NSG NSG It all starts with a….
- 11. Specify DNS Servers in the Virtual Network • Hosted in an Azure VM • External • On-Premises (with hybrid connection) VMs are assigned specified DNS at boot. TIP: if DNS is added after a virtual machine is running, a reboot is required for assignment. DNS
- 12. Demo Creating A Basic Network DemoCreating a basic network Demo 1
- 13. • A Network Security Group (NSG) is used to allow/deny traffic • Source/Traget configurable • Port configurable • Can be applied on a subnet work virtual network interface • No deep package inspection TIP: When deploying a NSG, make sure that you deny all traffic by default. Only allow traffic that is required. Network Security Group
- 14. •Does the following situation work? Question FrontEnd VM BackEnd VM Subnet 10.0.0.0/24 NSG 1. Allow port 80 2. Deny Any HTTP Port 80 App Port 8080 No - NSG traffic is always handled on the NIC of a VM.
- 15. Design – Perimeter Network
- 16. DEMO Applying Network Security Groups Demo Creating A Basic Network DemoApplying Network Security Groups Demo 2
- 17. •A Network Virtual Appliance (NVA) can be used to control the flow of network traffic. • Firewall • Load Balancing • (Reverse) Proxy Network Virtual Appliance
- 18. Design – Perimeter Network with NVA
- 19. •Used to control traffic flow • Mostly used to let traffic flow into a network virtual appliance User Defined Routes
- 20. Design – Perimeter Network with NVA and UDR
- 21. Service Endpoints •Connect Public Azure Services to your VNET • More secure, internet access to the public service can now be disabled • At this moment available for: • Azure Cosmos DB • Azure SQL • Azure SQL Data Warehouse • Azure Storage (storage accounts and backup)
- 23. DEMO Applying Network Security Groups Demo Creating A Basic Network DemoService-Endpoints Demo 3
- 24. • Create subnets for: • Isolation (for Dev/Test) • Security (DMZ zone) • Create NSGs at least for every subnet (preferred for every network interface) • Only allow traffic to ports that is required for your service to run. • Use a Network Virtual Appliance to control the flow of network traffic Designing your Virtual Network
- 26. Hybrid Connection (Hybrid) Connections Your connection to other networks and the on-premise site!
- 27. •Via VNET Peering • Connect at least two Azure Virtual Networks trough the Azure Backbone •Via VPN • Traffic is routed in a secure tunnel (IPSEC) over the internet to Microsoft Azure. • Can be used for site-to-site purposes but also client-to-site purposes. •Via ExpressRoute • Traffic is routed directly from your network to Microsoft Azure • A cloud connect provider/datacenter is required Available connection types
- 29. Connection between VNETS • Uses Azure Backbone • Low latency • No need for gateways/NVAs • Does not exchange all routes • Only routes for the two connected VNETs are shared TIP: Global VNET peering is general available, but not for all regions. Check the regions first before deciding to use VNET peering globally.
- 30. Design Hub-Spoke with VNET peering
- 31. Demo Creating a VPN connection Demo Creating A Basic Network DemoSetup VNET Peering Demo 4
- 33. VPN Connection • Three types: • Point-to-Site • Site-to-Site (IPsec) • VNET-to-VNET • Uses VPN gateways to establish connections • High uptimes (99,9%) • Various SKUs available with a different bandwidth, amount connections etc. • Almost no performance guarantees due to latency on the internet
- 34. Design – Multi-tier network + VPN
- 35. Demo Creating a VPN connection Demo Creating A Basic Network DemoDeploy a VPN connected network with ARM templates Demo 5
- 37. •Connection via: • Cloud Exchange • Service Provider •Connection is secure/private •Performance Your Private Connection to Azure
- 38. Peering Types
- 40. Intranet Internet Azure Private Peering Forced Tunnelling DMZ/Extranet 0.0.0.0/0 xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Design Forced tunneling with Express Route
- 41. Design Multi-tier network + ER + Fallback VPN
- 43. SecuritySecurity Networking is one of the first lines of defence
- 44. •Security starts in your design • Assume breach •Use network components • Network Security Groups • Network Virtual Appliances •Security Center Security in your design
- 45. •Analyzes security health •Network related recommendations • Add a next generation firewall • Route traffic through NGFW only • Enable NSGs • Restrict access through Internet facing endpoint Security Center
- 46. Demo Security Center Demo Creating A Basic Network DemoSecurity Center Demo 6
- 48. Challenge • Create a Hub-Spoke VNET topology • Deploy two VNETs • Connect them by using VNET peering • Deploy one VM in a spoke VNET • Deploy one VM in the hub VNET • Test the connectivity between the two VMs Win a ticket for Experts Live Netherlands 19 June, Cinemec Ede