View
221
Download
2
Category
Tags:
Preview:
Citation preview
Partner Practice Enablement - Overview
This session is focused on networking with Microsoft Azure Infrastructure Services. Learn how to enable, secure and load balance network endpoints. Learn about hybrid connectivity options with Microsoft Azure Virtual Networks as well as distributing traffic globally with Microsoft Azure Traffic Manager.
Audience: IT Professionals, Architects
Module 1 – Introduction to Microsoft Azure
Module 2 – Microsoft Azure Virtual Machines
Module 3 – Microsoft Azure Networking
Module 4 – Microsoft Azure Active Directory
Module 5 - Cloud Services and Web Sites
Module 6 - SQL Server and SharePoint
Module 7 - Management and Monitoring
CEO & Co-Founder of Opsgility, Experts in Instructor-Led Microsoft Azure Training.
Prior to starting Opsgility Michael was a Principal Cloud Architect with a leading Solution Integrator and a fifteen year Microsoft veteran. While at Microsoft Michael's roles included being a Senior Program Manager on the Microsoft Azure Runtime team and a Senior Technical Evangelist for Microsoft Azure Infrastructure Services.
Michael was the original developer of the Microsoft Azure PowerShell Cmdlets and is a globally recognized speaker for conferences such as TechEd and BUILD.
About the Instructor
Michael WashamMicrosoft Azure Trainer
http://www.opsgility.com
Twitter: @MWashamTX
michael@Opsgility.com
Overview: Connectivity in Azure
VIP: Input Endpoint
Forwards public -> private traffic per portListens on public IP Address of cloud serviceOptionally Load balanced across multiple virtual machinesSupported protocols: TCP/UDPDefault Endpoints: RDP and PowerShell
Input Endpointcloudservice.cloudapp.net VIP
Public IP Address of the cloud service. • Can change if all virtual machines are deleted or
stopped • Support for reserved IP addresses in cases where
IP should not change
Public Virtual IP Address (VIP)
Internal IP Address(s)
Internal IP Address of a virtual machine set by Microsoft Azure from its own address pool or your own address pool if using a virtual network. Can change unless deployed into a virtual network,
Internal IP Address
Reserved IP Addresses
Reserved IP Addresses for Cloud Service IPsPersistent external IP address even if all virtual machines are stopped or deleted.
Set via the Azure PowerShell Cmdlets
New-AzureReservedIP -ReservedIPName "myIP" `
-Location "West US"
New-AzureVM -ReservedIPName "myIP" ...
IIS-VM1 IIS-VM2
contososvc.cloudapp.net137.135.67.36 = myIP
Port Forwarding Input Endpoints
PORT 3389PORT 6510
PORT 6511
Single Public IP Per Cloud ServiceMultiple VMs cannot share the same public port
Cloud ServiceEndpoint VM1Public Port: 6510Local Port: 3389Protocol: TCPName: Remote Desktop
PORT 3389Endpoint VM2Public Port: 6511Local Port: 3389Protocol: TCPName: Remote Desktop
Per Virtual Machine Public IP Addresses
Each virtual machine can be assigned a public IP address
IP is not load balanced or behind firewall
Not available in all regions
IIS-VM1 IIS-VM2
TCP EndpointPublic Port 5001Private Port 3389
TCP EndpointPublic Port 5002Private Port 3389
contososvc.cloudapp.net
23.100.44.180 23.100.44.181
New-AzureVMConfig -Name "vm1" ... | Add-AzureProvisioningConfig -Windows ... | Set-AzurePublicIP -PublicIPName "vm1ip" | New-AzureVM ...
Using the External Load Balancer
PORT 80
PORT 80
Single Public IP Per Cloud ServiceMultiple VMs can share the same public port
Cloud App / Hosted Service
Endpoint VM1Public Port: 80Local Port: 80Protocol: TCPName: HTTPLBSetName: LBHTTP
PORT 80
Endpoint VM2Public Port: 80Local Port: 80Protocol: TCPName: HTTPLBSetName: LBHTTP
Cloud Service VIP
IIS-VM1
IIS-VM2
IIS-VM3
contososvc.cloudapp.net
Default Probe Behavior
Load Balancer Probes Every 15 seconds
Looks for ACK on socket connect
Traffic stops until ACK received (two failures)
Continues Polling
PORT 80
TCP Health Probe
IIS-VM1
IIS-VM2
IIS-VM3
Health probe every 15 seconds
HTTP 200 means healthy
Traffic stops until 200 received (two failures)
Continues polling until healthy
Allows deeper inspection into the health of a web application via custom code.
PORT 80
Probe: http://IIS-VM1/heathcheck.aspxProbe: http://IIS-VM2/heathcheck.aspxProbe: http://IIS-VM3/heathcheck.aspx
HTTP Health Probe
Configuring ACLs
Rule Configuration
Specify Remote Subnet(s)
Permit or Deny and Rule Processing Order
Description for each Rule
Configuration
Portal or PowerShell
Virtual NetworkLogical isolation with control over the network
Create subnets; use your private IP addresses
Support for Static IP addresses
Support for Internal Load Balancing
DNS options – BYO or Microsoft Azure-provided
Extend your trust boundary – VMs and Cloud Services on the same Network
Microsoft Azure
Virtual Network
subnetX
subnetY
subnetZ
DNS Server
Bring Your Own DNSSpecify DNS Servers in the Virtual Network• Hosted in an Azure VM
• External
• On-Premises (with hybrid connection)
VMs are assigned specified DNS at boot. TIP: if DNS is added after a virtual machine is running a reboot is required for assignment.
Virtual NetworkAddress Space: 10.0.0.0/16DNS: AD-01 10.0.0.4DNS: AD-02 10.0.0.5
IIS-VM-01Subnet Web
10.0.1.4
IIS-VM-02Subnet Web
10.0.1.5
Cloud Service
AD-VM-01Subnet AD
10.0.0.4
AD-VM-02Subnet AD
10.0.0.5
Cloud Service
Internal Load Balancing with Virtual Networks
Virtual Network Address Space: 10.0.0.0/16
AD-VM-01Subnet AD
10.0.4.4
SP-WFW-01Subnet WEB
10.0.1.4
Cloud Service
SP-WFE-02Subnet WEB
10.0.1.5
AV Set: ADAV Set: SPWFE
SP-APP-01Subnet APPS
10.0.2.4
SP-APP-02Subnet APPS
10.0.2.5
AV Set: SPAPP
SQL-AO-01Subnet SQL
10.0.3.5
SQLWITNESSSubnet SQL
10.0.3.6
SQL-AO-01Subnet SQL
10.0.3.4
AV Set: SQL
SP-WFE-03Subnet WEB
10.0.1.6
SP-APP-02Subnet APPS
10.0.2.6
AD-DC-01192.168.0.1
AD-DC-02192.168.0.2
On Premises192.168.0.0/16
AD-VM-02Subnet AD
10.0.4.5
OtherServers
Active Directory ReplicationAccess on-premises resources Access intranet over hybrid connection
https://spintranet Map to: 10.0.0.100
Set Internal Load Balancer IPNew-AzureInternalLoadBalancerConfig
http://spintranetHybrid
Connection
Static IP AddressesUse Static IP addresses to request a specific IP address be assigned to the virtual machine.
Addresses available from assigned virtual network subnet.
Will fail if another virtual machine has already been assigned the IP.
Deploy Virtual Machines with Static IP addresses into their own subnets to avoid conflict with other virtual machines.
Set via PowerShell (Set-AzureStaticVNetIP)
Microsoft Azure Hybrid Options
Cloud Customer Description
Secure point-to-site connectivity
Virtual Network (Point-to-Site)
• 80 Mbps• Configure up to 254 clients to
connect per virtual network.
Secure site-to-site VPN connectivityVirtual Network (Site-to-Site)
• 80 Mbps• Connect on-premises network
to virtual network using IPSEC over the Internet
Private site-to-site connectivity
ExpressRoute
• 10 Mbps – 10 Gbps• Direct connectivity through
Exchange Provider or Network Service Provider to Azure.
Comparing Hybrid Options
Bandwidth Security Management Workloads
ExpressRoute10 Mbps – 10 GbpsCommitted Bandwidth
Private isolated network between provider and Azure. Control over routing and traffic.
Configure once, simple to add new virtual networks
Enterprise ConnectivityMission CriticalDisaster RecoveryHybrid Applications
Site-to-Site80 MbpsNo performance commitment
Encrypted tunnel over the Internet
Configuration of IPSEC VPN device for each Virtual Network Created
Hybrid ApplicationsDev/TestSecure Management
Point-to-Site 80 MbpsNo performance commitment
Encrypted tunnel over the Internet
Configuration with each individual client machine.
Dev/TestSecure Management
CAPA
BILI
TIES
On-premises
Your datacenter
Individual computers behind corporate firewall
Point-to-Site VPN
Hardware VPN or Windows RRAS
Microsoft Azure
Virtual NetworkVPN Gateway
WFE App
VPN Gateway
Remote workers
Site-to-SiteVPN
Extend on-premises to the cloud securely (IPSec)
On-ramp for migrating services to the cloud
Use on-prem resources in Microsoft Azure (monitoring, AD, etc.)
IPSec (IKEv1 and IKEv2)
SQL DC/DNS
Site-to-Site Virtual Network
Regional Virtual NetworksConnect Virtual Networks Across Azure Regions or Subscriptions
Virtual NetworkGateway IP: 137.135.8.71Address Space: 10.0.4.0/24Local Network: 10.0.5.0/24
IIS-VM-01Subnet Web
10.0.1.4
IIS-VM-02Subnet Web
10.0.1.5
Cloud Service
IIS-VM-01Subnet Web
10.0.1.4
IIS-VM-02Subnet Web
10.0.1.5
Cloud Service
Virtual NetworkGateway IP: 23.100.36.231Address Space: 10.0.5.0/24Local Network: 10.0.4.0/24
West US East US
INTERNET IPSEC
IP: 23.100.36.231
IP: 137.135.8.71
Multi-Site Virtual Networks
SITE #1 Gateway IP: 96.226.123.9Address Space: 192.168.1.0/24
SITE #2Gateway IP: 96.226.123.51Address Space: 192.168.2.0/24
SITE #3Gateway IP: 96.226.123.92Address Space: 192.168.3.0/24
Virtual NetworkGateway IP: 137.135.67.12Address Space: 10.0.2.0/24Local Networks10.0.1.0/24192.168.0.0
Virtual NetworkGateway IP: 137.135.8.71Address Space: 10.0.1.0/24Local Networks10.0.2.0/24192.168.0.0/16
Secure IPSEC
Virtual Networks & P2S Connectivity
Connect from anywhere securely
Secure Sockets Tunneling Protocol (SSTP)
Easy to setup and use
Ideal for prototyping, dev, & demos
P2S and S2S coexist
Microsoft Azure
Virtual NetworkVPN Gateway
WFE App
VPN Gateway
SQL DC/DNS
Virtual Network Device Options
Generic VPN devices must support:• IKE v1, v2• AES 128, 256• SHA1, SHA2• http
://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx
Creating a Virtual NetworkAlways plan and create the virtual network firstVMs are provisioned into a virtual network (cannot easily move an existing virtual machine to a VNET)
Virtual Network configuration fileImport/Export from the management portal – use as a templateApplies to all VNETs in the selected subscription
Create via Microsoft Azure management portal
Create via PowerShellget-help azurevnet
Gateway redundancy and availability
Gateway roles in Microsoft Azure has 2 instances (active-passive mode)
A pair of VPN devices can be a redundant (i.e. F5 Big IP) and the RRAS service on Windows Server is supported in a clustered configuration.
Pricing and SLA
$0.05/hour (~$37/month)
Standard data transfer rates apply
99.9% Virtual Network gateway availability
High throughput
Security
Lower cost
Predictable performance
What is ExpressRoute?
ExpressRoute provides organizations a private, dedicated, high-throughput network connection between Microsoft Azure datacenters and their on-premises IT environment.
Exchange Provider Network Service Provider scenario
ExpressRoute Providers
Customer site ExpressRoutepartner location
Customer site 1
Customer site 2
Customer site 3
WAN
Network Service Providers
High Performance and Predictable
Exchange ProvidersMonthly fee with included outbound data transfer.Unlimited inbound data transfer included
200 Mbps+
3TB/month
500 Mbps+
7.5TB /month
1 Gbps+
15TB /month
10 Gbps+
250TB /month
Monthly dual-port fee.Unlimited data transfer (in and out) included
10 Mbps 50 Mbps 50 Mbps
100 Mbps 500 Mbps 1 Gbps
99.9% SLA
DedicatedCircuit uptime
Enable mission critical workloads
Dev/test lab BI/big data
Media Productivity apps
Storage, backup, and recovery
Hybrid apps
Security and PrivacyDirect connect to your infrastructure hosted in Microsoft Azure by passing the public Internet
Direct connect to Microsoft Azure Services such as SQL Database and Microsoft Azure Storage
Azure Edge
Connectivity Provider
InfrastructureCustomer’s network
ExpressRoute CircuitDedicated and Private
Traffic to Microsoft Azure Public Services
Traffic to Microsoft Azure Virtual Networks
Microsoft Azure Compute
Microsoft AzurePublic services
PUBLIC INTERNET
Public and Private peering
Contoso (10.0.0.0/16)
Exchange
AD/DNS
IIS ServersSQL Farm Proxy/Internet edge
Monitoring
Provider Infrastructure Microsoft
Azure
Storage SQL Websites
Direct internet trafficCross PremisesInternet boundAzure service access
Contoso virtual networks/Vms
Azure public services
AD/DNS
PUBLIC INTERNET
Public Services (West US)
Virtual Network (West US)
Public Peering
Private Peering
Express RouteCircuit
Isolated VLANsMicrosoft Azure Private Network
Routers
Virtual Network (East US)
Public Services (East US)
Traffic to on-premises
Cross Region Connectivity
ExpressRoute and Disaster Recovery
Active DirectorySharePoint
WEB
Equinix – Silicon Valley
Active Directory
SharePoint App
F5 BIG IP Load Balancer
SharePoint App
SQL Witness
SQL Primary
SharePoint WEB
SQL Always On
AVSET: SPWEB AVSET: SPAPP SQL Replica AVSET: AD
ExpressRoute Circuit (1Gps)
Sync Commit for Auto-Failover
Domain Controller
Microsoft Azure - West US
Traffic Manager – DNS Based Load BalancerThree Load Balancing Algorithms
Performance, Round Robin, Fail Over
Map your domain name to yourservice.trafficmanager.net with CNAME
contoso.com -> contosotm.trafficmanager.net
Map cloud service URLs in global data centers to Traffic Manager Profile.
contosoeast.cloudapp.netcontosowest.cloudapp.net
Built in HTTP Health Probes for High Availability
PerformanceTraffic Manager determines fastest route for the client and returns IP for the appropriate cloud service.
IIS-VM-01 IIS-VM-02
Cloud Service
IIS-VM-01 IIS-VM-02
Cloud Service
West US East US
contosowest.cloudapp.net
contosoeast.cloudapp.net
contosotm.trafficmanager.net
Request for contoso.comLocation Portland, OR
Response with IP for contosowest.cloudapp.net
Health Probes
Traffic Manager Calculates Hops…
Round RobinTraffic Manager returns IPs in a round robin fashion regardless of client location.
IIS-VM-01 IIS-VM-02
Cloud Service
IIS-VM-01 IIS-VM-02
Cloud Service
West US East US
contosowest.cloudapp.net
contosoeast.cloudapp.net
contosotm.trafficmanager.net
Request for contoso.comLocation Portland, OR
Response with IP for contosoeast.cloudapp.net
Health Probes
Traffic Manager Returns the Next IPCould be West or East
FailoverTraffic Manager always returns the IP address of the primary cloud service unless it fails a health check.
IIS-VM-01 IIS-VM-02
Cloud Service
IIS-VM-01 IIS-VM-02
Cloud Service
West US East US
contosowest.cloudapp.net
contosoeast.cloudapp.net
contosotm.trafficmanager.net
Request for contoso.comALL Requests
Response with IP for contosowest.cloudapp.net
Health Probes
X
ALL RequestsRequest for contoso.com
Response with IP for contosoeast.cloudapp.net
Recommended