ExpressRoute Fridayswith the C+E Black Belts

Olivier Martin (@omartin) – Azure Networking Black BeltKevin Lopez (@kevlopez) – ER Partner Sales ExecutiveJaime Schmidtke (@jaimesc) – ER Partner Sales ExecutiveKevin Sullivan (@kevinsul) – BCDR and ER Black belt

Before we get started

• Welcome customers and partners!!!

• Material is public information. No NDA info here.

• Use the IM window for questions.

• Sessions are recorded.

• We’ll post material @

http://aka.ms/AzureNetworkingFridays

• Ignite : Great new things!

• Deep dive topic of the week: • Guest Speaker : Karthik Ananthakrishnan (Azure Networking Principal

Product Manager for ExpressRoute)

• ExpressRoute Layer 2 Detailed Scenarios

• Azure Networking Partner Spotlight: Barracuda Networks (NGF)

• Open Q&A !

Agenda for September 30th, 2016

What’s new from Ignite 2016 ?!

High performance networking

Performance increase across all VM SKUs globally

SDN/Networking policy applied in

software in the host

Hardware accelerators used to apply

all policies

The Virtual Datacenter

Azure Active Directory

Azure subscription

Azure subscription

Azure subscription

AccessControl

AccessControl

AccessControl

Virtual Network Virtual Network Virtual NetworkVirtual Network

FW FW

IIS IIS

SQL

IIS IIS

SQL

FW FW

IIS IIS

SQL

FW FW

IIS IIS

SQLExpressRoute ExpressRoute

Internet Internet Internet Internet

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Azure load balancer

Building and running services on Azure

IPv6 for Azure VMs : General Availability

IPv4 Clients and Services

Azure VMs (IaaS)

Azure

Services &

Storage

Azure

Load

Balancer

Internet

Inbound&

Outbound

IPv6 IPv4

IPv6

VIP

IPv4

VIP

Azure

VM

IPv6 Clients & Services

VMVM

ModSecurity and Core Rule Set

Valid request

SQL Injection×

XSS attack× Application

Gateway

WAF

L7 LB

Site 1

Site 2

WAF SKU for Application GatewayAvailable for public and private endpoints

WAF logs integrated with Azure Insights Azure Security Center coming soon

Portal, PowerShell, SDK supported

Azure Security Center Azure Insights Storage

Application

Gateway

WAF

L7 LB

VM

SQL

VM

SQL

AG

AG

AG

Virtual Network

Virtual Network

Enables new virtual appliance scenarios

Secure and private cross-premises connectivity

BGP for redundant paths and dynamic routingAutomatic shortest path selection and failover

Transit over Microsoft global networkSecure connectivity using Internet only for “last mile”

Support on-premises network with multiple ISPs and VPN devices

From active-standby to active-active

Support both cross-premises and VNet-to-VNet connectivity

Spreading traffic over multiple tunnels simultaneously

Atlanta

Chicago

Los Angeles

Seattle

Silicon Valley Washington DC

AmsterdamDublin

London

Sao Paulo

Chennai

Hong Kong

Mumbai

Melbourne

Osaka

Singapore

Sydney

TokyoLas Vegas

TorontoMontreal

Quebec City

New York City

Dallas

Newport, WalesParis Beijing

Shanghai

Berlin

Frankfurt

Dallas

Washington DC

New York

Chicago

US Government

Germany

China

Gateway SKU

Max.

Throughput

(Gbps)

Standard 1

HighPerformance 2

UltraPerformance 10

Monitoring and Diagnostics

Deeper insights into your networkExpressRoute

• Peering connection statistics

• ARP table, Route Summary, Route Table

Virtual Network

• Effective security rules on every NIC

• Next hop and effective routes for every NIC in the subnet

Application Gateway

• Metrics and alerts

• Back end health information

Internet

Technical Deep Dive with special guest : Karthik AnanthakrishnanExpressRoute Principal Product Manager

ExpressRoute Customer Connectivity Options

Customers can connect to Expressroute using: 1. Virtual cross-connection to Expressroute

through the co-location providers ethernet-exchange

2. Point-to-point Ethernet connection through a service provider

3. IPVPN connection through a MPLS provider

MPLS providers typically offer managed Layer 3 connectivity and will address the VLAN mapping and routing for Expressroute.

Layer 2 providers will typically provide VLAN mapping for Customers. Customers are responsible for setting up routing with Expressroute.

Primary

Circuit

Secondary

Circuit

Partner Edge

Microsoft Edge

CTAG: 20 Traffic to public IP addresses in Azure

CTAG: 30 Traffic to Virtual Networks (VNets)

CTAG: 10 Traffic to Office 365 Services

Partner Edge

Microsoft Edge

ExpressRoute VLAN Scenarios With Layer 2 Providers (802.1Q)

802.1Q VLAN Handoff To CustomerSome Customer Edge devices does not support QinQ VLANS. The layer 2 provider will provide a VLAN mapping service to provide 802.1Q handoff to customers. Customer can terminate the provider layer2 connection on a single device or device pair.

802.1ad (QinQ) VLAN Handoff To CustomerIn this example, the provider swaps the outer tag on the carrier network. The Inner tag assigned on the ExpressRoute circuit can remain unchanged or remapped by the provider. Customer needs to configure a BGP Pair for each routing domain (Private, Public and Microsoft) for SLA with ExpressRoute

ExpressRoute VLAN Scenarios With Layer 2 Providers (802.1ad)

Azure Portal Set-up For VLAN and Routing Configuration

Partner Spotlight : Barracuda Networks

Accelerating Your Journey to a Safe CloudBarracuda Security Solutions for Microsoft Azure

+

Today’s Discussion

It’s all about securing workloads in Microsoft Azure

• Moving applications to the cloud

• Building out data center capacity

• The logistics of remote connectivity of workloads in the cloud

• How to ensure security across common scenarios

Migrating to the Cloud?

Prepare for These Common Challenges:

• Security, privacy, and compliance concerns

• Managing mission-critical or development workloads

• Complexities of migrating your physical data center to Microsoft Azure

• Vulnerabilities to mobile and Bring-Your-Own-Devices, web 2.0 applications, and remote network users

You define

controls

and security

IN the Cloud

Your company

Customer’s Responsibility in a Shared Security Model

Azure takes care

of the Security

OF the Cloud

Azure Platform

Physical Infrastructure

Network Infrastructure

Virtualization Layer

Customer Applications & Content

Network Security

Identity & Access Control

Operating Systems / Platform

Data Encryption

Barracuda Security Solutions for Microsoft Azure

Accelerating Your Journey to a Safe Cloud

Security

Ensure users, data and applications are protectedEmploy multi-layer security, archiving, and data protection technology

Optimize user productivityImprove company-wide collaboration and minimize employee downtime

Compliance

Seamless, unified experienceContinue the same level of familiarity with the technologies as workloads are moved from on-premises to the cloud

Migration

Maximize Azure investmentOvercome potential adoption challenges to realize the value of your investment faster

Control

Barracuda NextGen Firewall F

Cloud Security Threats

Community gaps

Exploited system vulnerabilities

Remote access

Barracuda NextGen Firewall F on AzureThe Ultimate Protection Against Network Security Threats

Networking &

Infrastructure

IPS/IDS

Integrated intrusion prevention

URL filtering

User and application aware

IPsec VPNs secure remote connectivity

Dynamically scales with your network

Networking Protection

Multi-Tier Architecture

Build secure multi-tier architecture in Azure to keep a level of segregation between tiers

VPN Tunnels

Unlimited site-to-site VPN tunnels to connect two networks protected byF-Series Firewalls

Traffic Control

Inbound/outboundtraffic control while providing IPS/IDS functionality

Access to Resources

Access to resources in Azure (unlimited client-to-site VPN, SSL VPN)

ExpressRoute

Visibility and control on all traffic coming across the ExpressRoute connection

Most Common Use Cases

Use Case – Multi-Tier Deploying Multi-Tier Architecture in Azure

Secure remote access for mobile users

• Dedicated VPN clients available for Windows, Mac, Linux

• Clientless SSL VPN

• Multiple supported protocols: TINA, IPsec, L2TP, PPTP

Multiple site-to-site connectivity

• VNET-to-VNET connectivity

• Automatic user ID synchronization across sites

• Supports multiple ISPs

• Built-in WAN optimization

• Full ExpressRoute support

Comprehensive security enforcement

• Internal and cross-region network segmentation

• Access control based on user and instance identity

• Full traffic visibility and monitoring

Use Case – Multi-Tier

Best PracticesMulti-Tier Architecture

Controlling traffic between VNETs• Provide full visibility into traffic using IP,

port, application, or protocol• Control traffic between VNETs (block, allow,

or re-direct)

Use Case – Multi-Tier

Preventing direct connections through a reverse-proxy architecture• Terminate all connections at a proxy• Decrypt all data• Inspect for any malicious content or

embedded attacks

Improve VPN ConnectivityOvercoming IPsec Limitations

• Powerful extensions to standard IPsec tunnel management

• TINA (Transport Independent Network Architecture) developed exclusively by Barracuda

• The TINA protocol allows use of TCP, UDP, and ESP for high speed VPN connections

• Substantially improves the VPN connectivity

Use Case – Multi-Tier

Use Case - ExpressRoute Protecting Microsoft Azure ExpressRoute

Security

• Encrypts traffic across ExpressRoute

• Prevents direct traffic flow between applications and the cloud

• Inspects and logs all inbound and outbound traffic for reporting purposes

Reliability

• VNET-to-VNET connectivity

• Automatically sets up a VPN for secondary connection in the event of failure

• Allows multiple ExpressRoutes; one primary and one secondary

Intelligence

• Prioritizes traffic from any specified application and sends it via a configured link

• Blocks specific application traffic from going to and from Azure

• Allows or denies certain users based on credentials and access privileges

Use Case – ExpressRoute

Best PracticesSecuring ExpressRoute

Preserving Low LatencyMaintain a quality of service based off of protocol and application to achieve equal or better bandwidth than other applications

Controlling Traffic AccessMonitor and control traffic based on IP addresses, ports, protocol, user identity, AD security groups, FQDN, Application Detection, and RPC portmapperinformation

Protecting Networks from MPLS FailureSwitch to an internet baseline in the event of MPLS router or line failure, and then automatically use that particular connection

Enabling End-to-End Line SecurityEncrypt traffic from end-to-end and send it through the system, while maintaining full control over keys and algorithms

Use Case – ExpressRoute

User and Application AwarenessBarracuda NextGen Firewall F Use Case – ExpressRoute

Next Steps and Resources

1. Learn moreFor a rich library of resources, visit the Barracuda Azure website www.barracuda.com/azure

2. Contact Barracudaazure_support@barracuda.com

3. Start a 30-day free trial

4. Ask for a demo and proof-of-concept

AskTryContactLearn

Videos Technical Briefs

Deployment Architecture Diagrams

Open Q&A

Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays