Embed Size (px)
Citation preview
Windows® Azure™ Platform
Windows® Azure™ Platform
Network Architecture
Packet Filtering
Built-In Firewalls
Connect Service
SSL
WCF Security
Agenda
Windows® Azure™ Platform
Windows® Azure™ Platform
TOR
LB LBAgg
PDU
LB LBAgg
LB LBAgg
Racks
Data center
Routers
Aggregation Routers and
Load Balancers
TOR
PDU
TOR
PDU
TOR
PDU
TOR
PDU
TOR
PDU
TOR
PDU
TOR
PDU
TOR
PDU
…… …
Top of RackSwitches
Power Distribution
Units
Nodes
Nodes
Nodes
Nodes
Nodes
Nodes
Nodes
Nodes
Nodes
Main VLAN
ComputeNetwork
(Main VLAN)
Windows® Azure™ Platform
Network connectivity is restricted using the host firewall
Packet Filtering is performed on all traffic
The FC host agent ensures that the VM can only access IP addresses assigned to VMs of the same service.
Also allows access to Internet addresses
Hyper-V based hypervisor Hypervisor
Network/Disk
Windows® Azure™ Platform
Windows® Azure™ Platform
Windows® Azure™ Platform
Windows® Azure™ Platform
Windows Azure VM
Web Role
WorkerRole
Worker
Role
<WebRole name="AccidentReporting_WebRole" ...> ... <Endpoints> <InputEndpoint name="HttpIn” protocol="http" port="80" /> </Endpoints></WebRole>
Port 80Port 80
Port 8080Port 8080
Port 10000Port 10000
HTTPHTTP
TCPTCP
<WorkerRole name="AccidentReporting_WorkerRole" ...> ... <Endpoints> <InputEndpoint name="TCPEp” protocol="tcp" port="10000" /> </Endpoints></WorkerRole>
<WorkerRole name="AccidentReporting_WorkerRole2" ...> ... <Endpoints> ... <InternaEndpoint name="HTTPEp" protocol="http" /> <InternalEndpoint name="InternalEp" protocol="tcp" /> </Endpoints></WorkerRole>
Windows® Azure™ Platform
Windows® Azure™ Platform
Internet
Windows® Azure™ Platform
Windows Azure
Windows® Azure™ Platform
Internet
On-premises Server
Windows Azure Connect Relay
Windows Azure Roles
Windows® Azure™ Platform
netsh advfirewall firewall add rule name="ICMPv6" dir=in action=allow enable=yes protocol=icmpv6
Windows® Azure™ Platform
Worker Role
Web Role
Windows® Azure™ Platform
Channel Type
Motivation
Client-to-RoleBusiness activities may contain sensitive data.Prevents man-in-the-middle attacks
AdministrationBoth Windows Azure and the developer authenticate each other. Allow administration outside the portal.
Client-to-BlobSAS allows access for users to whom the URL was provided. SSL prevents other people from looking at the data.
Client-to-SQL AzureProtect connection information.The database usually contains sensitive information.
Role-to-StorageUnnecessary, as this channel is trusted.
Windows® Azure™ Platform
Windows® Azure™ Platform
<ConfigurationSettings> <Setting name="StorageConnectionString“ value="DefaultEndpointsProtocol=https; AccountName=MyAccount;AccountKey=MyKey"/> </ConfigurationSettings>
<connectionStrings> <add name="MySqlAzureDB" connectionString="Server=tcp:ServerName.database.windows.net; Database=Pubs;User ID=user@server;Password=myPassword; Encrypt=True;TrustServerCertificate=False"/></connectionStrings>
Windows® Azure™ Platform
Windows® Azure™ Platform
CachingCaching
Access Access ControlControl
Service BusService Bus
Web Web ServiceService
Windows® Azure™ Platform
Windows® Azure™ Platform
Windows® Azure™ Platform
©2010 Microsoft Corporation. All rights reserved. Microsoft, Windows Azure, SQL Azure and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
