Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall...

Azure Networking Fridayswith the C+E Black Belts

Olivier Martin (@omartin) – Azure Networking Black Belt

Kevin Lopez (@kevlopez) – ER Partner Sales Executive

Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive

Before we get started

• Welcome customers and partners!!!

• Material is public information. No NDA info here.

• Use the IM window for questions.

• Sessions are recorded.

• We’ll post material @

http://aka.ms/AzureNetworkingFridays

• Azure Networking from 0 to 60

• Azure Networking Partner Spotlight : F5 Big IP

• Deep dive topic of the week : • Guest Speaker : Telmo Sampaio (Principal Program Manager, Azure CAT)

• Open Q&A !

Agenda for October 28th, 2016

Platform Services

Security & Management

Infrastructure Services

Web Apps

MobileApps

APIManagement

APIApps

LogicApps

NotificationHubs

Content DeliveryNetwork (CDN)

MediaServices

HDInsight MachineLearning

StreamAnalytics

DataFactory

EventHubs

MobileEngagement

ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

BiztalkServices

HybridConnections

ServiceBus

StorageQueues

Store /Marketplace

HybridOperations

Backup

StorSimple

SiteRecovery

Import/Export

SQLDatabase

DocumentDB

RedisCache Search

Tables

SQL DataWarehouse

Azure AD Connect Health

AD PrivilegedIdentity Management

OperationalInsights

CloudServices

Batch Remote App

ServiceFabric Visual Studio

ApplicationInsights

Azure SDK

Team Project

VM Image Gallery& VM Depot

BGP for redundant paths and dynamic routingAutomatic shortest path selection and failover

Transit over Microsoft global networkSecure connectivity using Internet only for “last mile”

Support on-premises network with multiple ISPs and VPN devices

From active-standby to active-active

Support both cross-premises and VNet-to-VNet connectivity

Spreading traffic over multiple tunnels simultaneously

Atlanta

Chicago

Los Angeles

Seattle

Silicon Valley Washington DC

AmsterdamDublin

London

Sao Paulo

Chennai

Hong Kong

Mumbai

Melbourne

Singapore

Sydney

TokyoLas Vegas

TorontoMontreal

Quebec City

New York City

Dallas

Newport, WalesParis Beijing

Shanghai

Berlin

Frankfurt

Dallas

Washington DC

New York

Chicago

US Government

Germany

Azure Active Directory

Azure subscription

AccessControl

Virtual Network Virtual Network Virtual NetworkVirtual Network

IIS IIS

SQLExpressRoute ExpressRoute

Internet Internet Internet Internet

Azure load balancer

ExpressRoute and Virtual Appliance Partner ContactsEquinix Professional Services epssales@equinix.com ExpressRoute SI Partner

Perficient ExpressRoute@perficient.com ExpressRoute SI Partner

Project Leadership ExpressRoute@projectleadership.net ExpressRoute SI Partner

Aryaka AzureExpressRoute@aryaka.com ExpressRoute Connectivity Partner

AT&T AT&T Information Request Form ExpressRoute Connectivity Partner

Cologix sales@cologix.com ExpressRoute Connectivity Partner

Comcast http://business.comcast.com/landingpage/microsoft-azure ExpressRoute Connectivity Partner

CoreSite ExpressRoute@coresite.com ExpressRoute Connectivity Partner

Equinix ExpressRoute@equinix.com ExpressRoute Connectivity Partner

Level 3 http://Level3.com/Azure ExpressRoute Connectivity Partner

Megaport ExpressRoute@megaport.com ExpressRoute Connectivity Partner

Orange galerie.contact@orange.com ExpressRoute Connectivity Partner

Tata Communication ER@TataCommuniccations.com ExpressRoute Connectivity Partner

Verizon Microsoft.SCILeads@verizonwireless.com ExpressRoute Connectivity Partner

Zayo azureleads@zayo.com ExpressRoute Connectivity Partner

Barracuda azure_support@barracuda.com Network Virtual Appliance Partner

Check Point http://www.checkpoint.com/vsec Network Virtual Appliance Partner

F5 azureinfo@f5.com Network Virtual Appliance Partner

Riverbed msftcloudsales@riverbed.com Network Virtual Appliance Partner

Partner Spotlight :

F5 | Microsoft Azure Solutions Overview

Gregory Coward, Solutions Architect, F5 Business Development

azureinfo@f5.com – Technical Follow-upt.dorscht@f5.com – Sales Follow-up

“Leverages the same user interface, management, and breadth of features as on BIG-IP Hardware”

BIG-IP L4-L7 Services in Azure

Advanced Global Server Load Balancing

Remote Access, Pre-Authentication, SSO, and

Multi-Factor Authentication

SAML 2.0 Federation IdP/SP

ICSA Certified Web Application Firewall / WAF

ICSA Certified L3/4 Network Firewall

Intelligent L7 Load Balancing

F5 | The BIG-IP in Azure “Available in Classic and ARM modes”

F5 | BIG-IP MODULES

VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition

High Performance Fabric

PERFORMANCE AVAILABLITY SECURITY

• Intelligent L4-L7 Load Balancing

• Traffic Optimization - (Caching & Compression)

• Deep Packet Inspection

• Intelligent Traffic Steering

• Full-Proxy Architecture

Local Traffic Manager

• Global Server Load Balancing (GSLB)

• Application availability Awareness

• Geolocation

• DNS services

• DNSSEC

Global Traffic Manager

APM Access Policy Manager

• Strategic Point of Control for Application Delivery

• Multi-Factor = Integrates with RSA, SecurID,

RADIUS, OTP, certificates, etc.

• Device-based access controls

• Single Sign-On (SSO)

F5 | BIG-IP Modules

• ICSA Labs Certified Layer 7 firewall

• Web Application Firewall

• Positive and Negative Security Models

• Mitigate Layer 7 attacks – DDoS, SQL injection,

OWASP Top Ten

Application Security Manager

• ICSA Labs Certified

• Stateful firewall

• Processes 8x more traffic than closest competitor

• Access rules applied at multiple levels, (virtual

server, VLAN, route domain)

Advanced Firewall Manager

AAM Application Acceleration Manager

• Web performance optimization

• Mobile optimization

• WAN Optimization

• SaaS acceleration

F5 | BIG-IP Modules

VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition

High Performance Fabric

PERFORMANCE AVAILABLITY SECURITY

F5 | BIG-IP In Azure

F5 | The BIG-IP in Azure

Technical Specifics and Limitations• Functions as any other Linux-based VM deployment

• Availability Sets

• Azure native HA/LB

• User Defined Routing

• Single-NIC & Multi-NIC deployments

• DHCP by default and only option via Azure Web Portal

• Static IP can be configured via PowerShell

• Each Host (including BIGIP) is limited to 1 External IP.

• Automatically assigned

• Utilizes DNAT

• Public IP addresses can be dynamic or static

F5 | The BIG-IP in Azure

Technical Specifics and Limitations• Deploys pre-configured with VLAN and Self-IP

• Initial deployment/configuration has idiosyncrasies

• Deployed via PowerShell or Web Portal

• Maximum Throughput per instance 1GB*

• Can be deployed in a variety of Virtual Machine sizes, (minimum 1core, 1.75GB)

Multi-NIC Version Available

• Still limited to one external facing IP

• Must be installed via PowerShell, CLI, ARM templates

* Higher throughput possible via larger instance sizes and/or multi-NIC

F5 | Azure Security Center Deployment

• BIG-IP VE w/ASM as a service

• Three levels of WAF Policy Enforcement

• Currently only supported in ARM mode

• 1 to 2 instances can be deployed

• One Application per WAF deployment

• BYOL

F5 | Azure Security Center

WAF Considerations

F5 | User Experience Demo

End Users

Internet

BIG-IP Global Traffic Manager

BIG-IP Local Traffic Manager

BIG-IP Access Policy Manager

BIG-IP Application Security Manager

BIG-IP Advanced Firewall Manager

Europe

F5 | The BIG-IP in Azure – DEMO

Technical Deep Dive with special guest :

Telmo SampaioSenior Program Manager, Azure CAT

Reference Architectures: Goal

• Proven by AzureCAT customers

• Golden path per each scenario with recommendations and considerations

• ARM templates to provision recommended architecture

Reference ArchitecturesRunning virtual machines on Azure:

• Running a Windows VM on Azure

• Running a Linux VM on Azure

• Running multiple VMs for scalability and availability

• Running VMs for an N-tier architecture

• Adding reliability to an N-tier architecture (Windows)

• Adding reliability to an N-tier architecture (Linux)

• Running VMs in multiple regions for high availability (Windows)

• Running VMs in multiple regions for high availability (Linux)

Hybrid network architectures:

• Implementing a hybrid network architecture with Azure and on-premises VPN

• Implementing a hybrid network architecture with Azure ExpressRoute

• Implementing a highly available hybrid network architecture

• Implementing a DMZ between Azure and your on-premises datacenter

• Implementing a DMZ between Azure and the Internet

Identity:

• Extending Active Directory to Azure

• Implementing a secure hybrid network architecture with federated identities in Azure

Web applications (PaaS):

• Basic web application

• Improving scalability in a web application

• Web application with high availability

From RAs to composable elementsAzure Vnet

10.0.0.0/16

Management subnet

10.0.0.128/25

Jump box Monitoring

Web tier

10.0.1.0/24

Availability

setNSG

Business tier

10.0.2.0/24

Availability

setNSG

Data tier

10.0.3.0/24

Availability

setNSG

DevOps

Azure Vnet

10.0.0.0/16

Gateway subnet

10.0.255.224/27

VPN Gateway

Management subnet

10.0.0.128/25

Jump box Monitoring

On-premises network

192.168.0.0/16

Gateway

Web tier

10.0.1.0/24

Availability

setNSG

Business tier

10.0.2.0/24

Availability

setNSG

Data tier

10.0.3.0/24

Availability

setNSG

Azure Vnet

10.0.0.0/16

Gateway subnet

10.0.255.224/27

Private DMZ in

10.0.0.0/27

Internal load

balancer

Private DMZ out

10.0.0.32/27

Management subnet

10.0.0.128/25

Jump box Monitoring

Public DMZ in

10.0.0.64/27

Public DMZ out

10.0.0.96/27

NSGPIP

Web tier

10.0.1.0/24

Availability

AD FS proxy subnet

10.0.4.128/27

Availability

Business tier

10.0.2.0/24

Availability

setNSG

Data tier

10.0.3.0/24

Availability

setNSG

AD FS subnet

10.0.4.32/27

Availability

setNSG

AD DS subnet

10.0.4.0/27

Availability

setNSG

On-premises network

192.168.0.0/16

Gateway

Partner network

Federation server

Trust relationship

Web app request

Federated authentication request

Authentication request

Open Q&A

Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays

Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall...

Documents

Building big data solutions on azure

BIG-IP TMOS : Routing Administration - F5 Networks · About BIG-IP system routing tables ... Viewing routes on the BIG-IP system ... BIG-IP ®TMOS : Routing Administration. Interfaces

BIG-IP Reference Guidesup.xenya.si/sup/info/f5/BIG-IP/BIG-IP_V1.x-V4.x/BIG-IP... · 2005. 9. 7. · Internet Control Architecture, IP Application Switch, iRules, Packet Velocity,

Big data on Azure

BIG-IP TMOS : Implementations - techdocs.f5.com...2017-3-2 · Customizing the BIG-IP Dashboard Overview: BIG-IP dashboard customization The BIG-IP® dashboard displays system statistics

BIG-IP Cloud Edition Managing Compliance ... - F5 Networks · BIG-IP Cloud Edition Buying uide f5com 3 F5 BIG-IP Cloud Edition: A brief architectural overview BIG-IP Cloud Edition

BIG-IP® DNS: Implementations - F5 Networks · Integrating BIG-IP DNS Into a Network with BIG-IP LTM Systems Overview: Integrating BIG-IP DNS (formerly GTM) with other BIG-IP systems

Analytics on Azure€¦ · big data lambda architecture azure storage polybase azure sql data warehouse azure data factory analytical dashboards web & mobile apps azure data factory

Microsoft Azure Overview - Washington Technology Forum June Microsoft...Azure IP Advantage: Microsoft offers best-in-industry protection against IP risks “No customer wants to be

BIG-IQ and BIG-IP Cloud Edition

F5 BIG-IP APM - Implementation Guide - Deepnet Security BIG-IP APM... · Implementation Guide F5 BIG-IP APM ... F5 – Configure Access Policy ... F5 BIG-IP Access Policy Manager

“BIG BANG” Partnership - Microsoft Azure

Azure Spark - Big Data - Coresic 2016

Big Data & Azure HDInsight: Programming with C#

Democratizing Big Data with Microsoft Azure HDInsight

Microsoft Azure Big Data Analytics

AR415S/AR550S/AR560S/AR570S とWindows …Windows Azure のゲートウェイIP アドレス yy.yy.yy.yy（Windows Azure マネジメントポータル｢Windows Azure のゲートウ

BIG-IP® DNS: Implementations - techdocs.f5.com · Integrating BIG-IP DNS Into a Network with BIG-IP LTM Systems.....9 Overview: Integrating BIG-IP DNS (formerly GTM) with other BIG-IP

Deploying the BIG-IP LTM with multiple BIG-IP WebAccelerator devices

Predict the future with big data (Microsoft azure)