Embed Size (px)
Citation preview
Azure Networking Fridayswith the C+E Black Belts
Olivier Martin (@omartin) – Azure Networking GBB
Kevin Lopez (@kevlopez) – ER Partner Sales Executive GBB
Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive GBB
New Team Member 1 (@...)
New Team Member 2 (@...)
Before we get started
• Welcome customers and partners!!!
• Material is public information No NDA info here.
• Use the IM window for questions.
• Sessions are recorded and posted at http://aka.ms/AzureNetworkingFridays
• Happy New Year!
• Azure Networking from 0 to 60
• New Team Members!
• Guest Speaker of the week : Bala Natarajan, Senior Program Manager, Azure ECG CAT
• Partner Spotlight: Cisco
• Open Q&A
Agenda for January 20th, 2017
Platform Services
Security & Management
Infrastructure Services
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQL DataWarehouse
Azure AD Connect Health
AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
Atlanta
Chicago
Los Angeles
Seattle
Silicon Valley Washington DC
AmsterdamDublin
London
Sao Paulo
Chennai
Hong Kong
Mumbai
Melbourne
Osaka
Singapore
Sydney
TokyoLas Vegas
TorontoMontreal
Quebec City
New York City
Dallas
Newport, WalesParis Beijing
Shanghai
Berlin
Frankfurt
Dallas
Washington DC
New York
Chicago
US Government
Germany
China
Azure Active Directory
Azure subscription
Azure subscription
Azure subscription
AccessControl
AccessControl
AccessControl
Virtual Network Virtual Network Virtual NetworkVirtual Network
FW FW
IIS IIS
SQL
IIS IIS
SQL
FW FW
IIS IIS
SQL
FW FW
IIS IIS
SQLExpressRoute ExpressRoute
Internet Internet Internet Internet
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Introducing 1 new member to the team!
Bryan Woodworth
• 10 years in networking and application delivery
• Focus on hybrid architectures and high availability
• Redmond is home for me, my wife, and 3 children
• Used to play drums in a punk rock band, toured the US a few times in a van
Introducing another new member to the team!
Eddie Villalba• Just Married (April 2016)
• 7 years at Microsoft, over 16 years in IT
• Born and raised in Manhattan, NY, lived in San Antonio, TX, Destin, FL, Oklahoma City, OK and home is now Pembroke Pines, FL
• Honorable Discharge from the United States Air Force as E-5 Staff Sergeant after 10 years serving as a Combat Controller
• Attended Florida State University – GO NOLES!!!
• Hobbies / Personal Interests• Diving – Adv. Open Water, Tech Diver, Nitrox, Wreck, Deep, Navigation
• Building and Flying Quadcopters (Drones)
• Amateur Radio Operator (Ham Radio N4EJV)
• CISSP, MCSE Cloud Platform & Infrastructure, MCT
• Volunteer for Wounded Warrior Foundation & South Florida Technology Alliance
Bala Natarajan, Senior Program Manager, Azure ECG CAT
Azure Stack TP2
▪
▪
▪
▪
• SMB, Enterprises• Connect to Azure compute
• Developers• POC Efforts• Small scale deployments• Connect from anywhere
• Consumers• Access over public IP• DNS resolution• Connect from anywhere
• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to Microsoft services
• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to Microsoft services
Please enter login information for 10.197.169.242.
Username: msadmin
CCCCCCCCCCC
NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
Device name 25-3275-R03-ASR1K-01
Unauthorized access and/or use prohibited.
All access and/or use subject to monitoring.
NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
Password:
CCCCCCCCCCC
Do not attempt to access this device unless you are authorized.
For questions, contact WSNET.
System Name: 25-3275-R03-ASR1K-01
Owner: WSNET
25-3275-R03-ASR1K-01#sh run
Building configuration...
Current configuration : 7466 bytes
!
! Last configuration change at 22:15:39 UTC Fri Dec 30 2016 by admin
!
version 15.4
Partner SpotlightCiscoTony Banuelos, Technical Marketing Engineer
CSR 1000v Product Management Team
Cisco CSR 1000v on Microsoft Azure
January 24, 2017
Tony Banuelos, Product Marketing Engineer
• Virtual appliance version of Cisco IOS XE
• Same operating system as ISR 4400 and ASR 1000 routers
• Provides numerous network services including routing, firewall, VPN, NAT, application and performance monitoring, and more
• Flexible feature and throughput licensing
• Traditional IOS XE SSH/Telnet and modern NETCONF/RESTConfAPI management tools
What is the Cloud Service Router (CSR) 1000v?
Cisco Confidential 30© 2015 Cisco and/or its affiliates. All rights reserved.
Cisco Cloud Services Router (CSR) 1000V and Integrated Services Virtual Router (ISRv)Cisco IOS XE Software in a Virtual Network Function Form-Factor
Software
• Familiar IOS XE software
Infrastructure Agnostic
• Runs on x86 platforms
• Supported on VMWare ESXi, RHEL KVM, Ubuntu KVM, Citrix Xen, Microsoft Hyper-V, Amazon AWS, Microsoft Azure and Cisco NFVIS (ISRv only)
Performance Elasticity
• Available licenses range from 10 Mbps to 10 Gbps
• CPU footprint ranges from 1vCPU to 8vCPU
License Options
• Term based 1 year, 3 year or 5 year
• Smart License enabled
Programmability
• NetConf/Yang, RESTConf and SSH/Telnet
Server
Hypervisor
Virtual Switch
OS
App
OS
App
CSR 1000V / ISRv
RP
DP
Enterprise-class Networking with Rapid Deployment and Flexibility
Cisco Confidential 31© 2015 Cisco and/or its affiliates. All rights reserved.
Where does CSR1000V get deployed?• Cisco CSR1000V is deployed in many different use cases and environments
CSR1000v Public
Cloud (AWS, Azure)
Extending enterprise
network to public
cloud. Creates a
common routing
fabric across virtual
and physical
domains, common
management
policies across
physical, cloud and
virtual platforms
CSR1000v SP
Hybrid Cloud
Direct MPLS
connectivity with high
performance for
Hybrid Cloud use
cases offered via
cloud and SP
partners
CSR1000v DC VM
network Overlay(VXLAN, LISP, OTV,
EVPN)
Datacenter peering
between virtualized
workloads using
transport overlay
technologies
CSR1000v High-
Scale single
service VNF
(vRR, vCGN, vFW)
vRR-Store and
reflect millions of
routes
vCGN – NAT 100s
thousands of IPv4
or IPv6 sessions
vZBFW - Zone off
network segments
using vFW
vCGN
ISP
Internet
68.12.10.12
172.10.1.x
.1.2
.3
CSR1000v vBNG
(vLNS, vISG)
Virtual Broadband
Network Gateway.
MSP residential
service delivering
bandwidth and
accounting features
for Home
broadband offers
CSR1000v/ISRv
vBranch(ENFV, uCPE)
WAN services
virtualized and
running locally at
customer premise.
Cisco ENFV hosting
virtual solution or
third-partry
Central Orchestration
and management
SP or
Enterprise
CSR1000v vCPE(vMS, hosted vCPE)
WAN services
virtualized and
hosted in cloud. A
Thin-CPE at
customer prem.
Multi-tenancy
capability.
Central
Orchestration and
management
SP DC
Managed
Service
DC Network Infra Cloud Networking EnterpriseSP Managed Service SP Home BB svcs
Why Support Microsoft Azure?IOS XE Coverage for All Deployment Types
Enterprise Data Center
ISR 4400 ASR 1000
Hypervisor
CSR 1000v
Cloud Platform
CSR 1000v
Extending Enterprise Networks into Any Cloud Using Proven IOS XE Platforms in all Locations
Others
Enterprise
Locations
Existing
Enterprise
Network
Public
Clouds
The Benefits of Bringing IOS XE into Public Clouds
Extends Existing Routing Topology
Integrates With Existing VPN Topology (Eg.
DMVPN)
Shares Existing Zone Based
Firewall Policies
Network Logging to Existing Tools
Identifies Cloud Performance
Problems
IOS XE Supportable by Existing IT Staff
Existing Monitoring Tools
Existing Troubleshooting
Steps
CSR 1000v + Azure Use Cases
Seamlessly Extend Enterprise Networks into Azure: Site-to-Site VPN Using the CSR 1000v
• Connect one or many physical locations into an Azure Virtual Network (VNet)
• Full suite of enterprise VPN compatibility: IPSec, DMVPN, FlexVPN, EZVPN
• Up to 1,000 concurrent VPN tunnels per CSR instance (Scalable Retail, Hospitality, etc.)
• Extend existing enterprise VPN architectures into Microsoft Azure (DMVPN, full-mesh)
• Standard IOS based VPN configuration, monitoring, and troubleshooting
Subnet
Virtual Network corporate office/branch
Securely Connect Remote Users to the Azure Cloud: Remote Access VPN Using the CSR 1000v
• SSLVPN access using Cisco AnyConnect for teleworkers and remote users
• Flexible AAA server options for remote user authentication
• Replicate or scale your applications in Azure regions near your users
• Seamless transition for existing AnyConnect deployments (no new client, reuse existing configuration)
Subnet
Virtual Network
CSR 1000v
A Worldwide Hybrid-Cloud Network:Interconnect Azure VNets Alongside Enterprise Locations
• Interconnect multiple Azure regions seamlessly alongside physical locations
• Direct accessibility between any enterprise location and any Azure region
• Overcomes VPN tunnel limitation on Azure VPN Gateways
• Extend existing enterprise routing architecture into Azure regions
Virtual Network
West US Region
Virtual Network
East US Region
CSR 1000vCSR 1000v
Subnet
Virtual Network corporate office/branch
Monitor and Analyze Azure Cloud Security and Performance: Using the CSR 1000v ZBFW and AVC Features
Security
• Stateful firewall between Azure VNets and enterprise locations
• Extend existing enterprise security policies using IOS Zone Based Firewall
• Export flow records using NetFlow for forensic analysis
Performance
• Fingerprint over 1,000 different applications using Cisco AVC, then report, block, and shape them individually
• Export application flows and latency information to pinpoint trouble points inside and outside of the Azure cloud
Monitoring and Analysis
Software
Flexible NetFlow
Export
CSR 1000v Technology Packages
Technology Package IOS-XE Features
IP Base
▪ Basic Networking: BGP, OSPF, EIGRP, RIP, ISIS, IPv6, GRE, VRF-LITE, NTP, QoS
▪ Multicast: IGMP, PIM
▪ High Availability: HSRP, VRRP, GLBP
▪ Addressing: 802.1Q VLAN, EVC, NAT, DHCP, DNS
▪ Basic Security: ACL, AAA, RADIUS, TACACS+
▪ Management: IOS-XE CLI, SSH, Flexible NetFlow, SNMP, EEM, NETCONF
SECIP Base Plus…
▪ Advanced Security: Zone Based Firewall, IPSec VPN, EZVPN, DMVPN, FlexVPN, SSLVPN, GETVPN
▪ High Availability: Box-to-box HA for FW and NAT
AppX
IP Base Plus…
▪ Advanced Networking: L2TPv3, BFD, MPLS, VRF, VXLAN
▪ Application Experience: WCCPv2, AppXNAV, NBAR2, AVC, IP SLA
▪ Hybrid Cloud Connectivity: LISP, OTV, VPLS, EoMPLS
▪ Subscriber Management: PTA, LNS, ISG
AX ALL FEATURES
• In the Azure Marketplace:
• http://azure.microsoft.com/en-us/marketplace/
• Search for “Cisco”
• CSR 1000v product page will contain pricing, support, and deployment information
Where to Find the CSR 1000v
CSR 1000v Deployment on Azure
Azure Basic Concepts
Resource Group is set of resources that can live and die together
• Resources include: VMs, interfaces, public-ip-address, security groups, routing tables, storage accounts
• The resources in one resource group need to have unique names
• If you create an object that depends on other objects in a different resource group, the other resources can not be delete before you delete your object with dependencies
Storage Account
• To keep the VM disk file and boot-log
• It belongs to a resource group
• Not all resources need to have storage account
Network Security Groups
• Control inbound and outbound access to network interfaces (NICs), VMs, and subnets
Azure Basic Concepts (continued)
Virtual Network
CIDR 10.2.0.0/16
Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
• Azure system route table routes within the VNet
• All VNet subnets ALWAYS have a route to all other VNet subnets!
Virtual Network (VNet)
• A VNet logically isolates a network’s own IP range, routes, security policies, etc.
• Each subnet created is automatically assigned a route table that contains system routes: Local VNet Rule, On-prime rule and Internet Rule
• System routes can be overwritten by User Defined Routes
• VNets’ IP ranges can not overlap
• Public IP NAT or Overload NAT for outbound traffic (No true public IPs)
Azure Public IP Addresses
• Azure infrastructure takes on the role of the router, allowing access from your VNet to the public
Internet without the need of any configuration
• Public IP for CSR becomes tunnel endpoint for VPN, etc
• Instances never have a publicly routable IP address directly assigned
Azure Infrastructure Public IP Mappings
54.32.54.32 – 10.2.1.25
Virtual Network
CIDR 10.2.0.0/16
Subnet A
10.2.1.0/24
Subnet B
10.2.2.0/24
WebApp1 Instance
IP: 10.2.1.25
Insert CSR 1000v as gateway in Azure deployment
• To make deployment of the CSR easy, we insert a set of
templates in the Azure portal to deploy all these resources
at once:
• 2 NIC CSR (currently, the only supported type)
• VNet with 2 subnets: public and private
• Routing tables on each subnet, with user defined
routes. Private subnet will use private-facing
interface g2 as the gateway. This also disallows
VMs’ access to Internet.
• Enable IP forwarding for each interface
• Allow port UDP 500 (ISKAMP) and UDP 4500
(NAT-T) in security group on public subnet for VPN
connection• Azure NAT at the Azure Infrastructure is very similar to AWS
• CSR should be the default gateway for the application VMs
172.24.2.0/24
172.24.2.0/25
Public subnet
172.24.2.128/25
Private subnet
g1 g2
Feature for CSR 1000v on Azure
Feature Azure
Number of vNIC supported today 4*
High Availability (Routing)Roadmap- Mar 17’ (looking for BETA
customers)
Multiple IP addresses on vNIC Multiple IP addresses per vNIC
Allow Overlapping IP addresses No
GRE Tunnel support Not supported
Add or remove interfaces on running CSR
1000V VM
No, but we have 2vNIc, 4vNIC and 8vNIC
templates
* Expected very soon (Feb 17’) – VM type D4 (8 vNIC support)
Performance for CSR1000v on Azure
Metric CSR on Azure
CEF throughput 1000 Mbps
IPSec throughput (AES
256)
180 Mbps (D2v2) /
700Mbps (D3v2/D4v2)
# of Tunnels supported 1000
Feb 17’ – CSR1000v support on D4v2 – 700Mbps IPSEC
• CSR 1000v External Home Page:
http://www.cisco.com/go/cloudrouter
• Deployment Guide for CSR 1000v on Microsoft Azure:
https://supportforums.cisco.com/document/12744996/cisco-csr-1000v-deployment-guide-microsoft-azure
• CSR 1000v Azure Product Management Mailing list
• CSR 1000v Product Management Mailing List
Additional Resources
Thank you.
Subnet
Virtual Network Corporate Office
Branch OfficeBranch Office
CSR 1000v
Open Q&A
Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays
