AZURE

A deep-dive into

Azure Networking!

Karim Vaes

AZURE

Karim VaesFormer Azure MVP,

Now TSP AppDev @ Microsoft

or …

“Cloud Solution Architect with a focus on

Application Development on Azure”

@kvaes https://blog.kvaes.be/

AZURE

Agenda

Networking

PatternsRouting

Outbound

Connections

Network

Virtual

Appliance

Cost Drivers Q&A

AZUREAZURE

Networking Patterns

AZURE

AZURE

Island Mode

AZURE

Hybrid Connection

AZURE

Network Virtual Appliance

AZURE

Northbound

Southbound

AZURE

WAF

NGFW

AZURE

Hub & Spoke Model

AZURE

Growth Model

https://kvaes.wordpress.com/2017/10/02/azure-networking-blueprint-patterns-for-enterprises/

Island ModeHybrid

Connection

NGFW

+WAF

+NGFW

Hub

&

Spoke

AZUREAZURE

Routing “Basics”

AZURE

Azure Routing Explained

• Longest Prefix Matching Wins

• In case of tie…

1. User Defined Route (Custom)

2. Border Gateway Protocol (BGP)

3. System Route (Azure Default)

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview

AZURE

Longest Prefix Matching

Target IP = 10.100.200.97

Configured Routes

• 10.0.0.0/8

• 10.100.0.0/16

• 10.100.200.0/24

• 10.100.200.97/32 => WINS (LPM)

AZUREAZURE

Routing “Beyond the Basics”

AZURE

Service Endpoints & Service Injection

Injection

Dedicated PaaS Services,

like for example

App Service Environment

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview

https://kvaes.wordpress.com/2018/06/08/taking-a-look-at-azure-service-endpoints/

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-for-azure-services

AZURE

VNET Peeringhttps://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

AZURE

One more thing

Conflicting / overlapping IP plans

AZUREAZURE

Outbound Connections

AZURE

What IP will be seen externally?

Scenario Method Protocols Description

VM with own

PIP

SNAT only TCP, UDP, ICMP,

ESP

Azure uses the public IP assigned to the IP configuration

of the instance's NIC. The instance has all ephemeral

ports available.

VM behind LB SNAT with PAT

using LB PIP

TCP, UDP Azure shares the public IP address of the public Load

Balancer frontends with multiple private IP addresses.

Azure uses ephemeral ports of the frontends to PAT.

VM without

PIP or LB

SNAT with PAT

using shared

PIP

TCP, UDP Azure automatically designates a public IP address for SNAT,

shares this public IP address with multiple private IP addresses

of the availability set, and uses ephemeral ports of this public

IP address. This is a fallback scenario for the preceding

scenarios. We don't recommend it if you need visibility and

control.

AZURE

Gotcha of the dayUsing an Internal Standard Load Balancer?

• Assign a PIP per nodeor

• Add the nodes to a External Load Balancer with “dummy” rules

Or the nodes won’t be able to reach the outside world…

AZURE

Load Balancer Trivia

Using an External Standard Load Balancer

“Secure by Default”

“Closed by default for public IP and Load Balancer endpoints and

a network security group must be used to explicitly whitelist for

traffic to flow!”

AZUREAZURE

Network Virtual Appliance

AZURE

Before anythingDraw a high level 10 mile high overview of your security rules!

AZURE

... which everyone can understand!

AZURE

… and then start discussing the NVA

AZURE

Now let’s talk about… Network Virtual Appliances

AZURE

NICNIC

NICNIC

NIC NICNIC NIC

Firewalls in Physical Networks

AZURE

Azure = Layer 3 +

NICNIC

NICNIC

NIC NIC

Trusted subnet10.10.0.0/16

Untrusted subnet10.20.0.0/16

Address Space10.0.0.0/8

AZURE

Floating IP = Load Balancer

NIC

NIC

Are you alive?

All good

Are you alive?

All good

AZURE

How many NICs does it take…

AZURE

Flow Symmetry – Single NIC

NIC

NIC

NIC

NIC

Src IP AddrTrusted VM IP

Dest IP Addr:Untrusted VM IP

PayloadSrc Port:

XDest Port:

Y

Src IP AddrUntrusted VM IP

Dest IP Addr:Trusted VM IP

PayloadSrc Port:

YDest Port:

X

AZURE

Flow Symmetry – Single NIC

https://azure.microsoft.com/en-us/blog/azure-load-balancer-new-distribution-mode/

AZURE

Flow Symmetry – Single NIC

NIC

NIC

NIC

NIC

Src IP AddrTrusted VM IP

Dest IP Addr:Untrusted VM IP

PayloadSrc Port:

XDest Port:

Y

Src IP AddrUntrusted VM IP

Dest IP Addr:Trusted VM IP

PayloadSrc Port:

YDest Port:

X

AZURE

Flow Symmetry – Dual NIC

NICNIC

NIC

NIC

NIC

NIC

SNAT

SNAT reversed

AZURE

Responding to probes

NICNIC

NIC

NIC

NIC

NIC

From: 168.63.129.16

From: 168.63.129.16

From: 168.63.129.16

From: 168.63.129.16

AZURE

Key Takeaways

• Floating IP = Load Balancer IP

• Dual NIC = Complex

• Require SNAT

• Test NVA response to probes

• Single NIC (recommended)

• No SNAT needed

AZUREAZURE

Cost Drivers

AZURE

https://kvaes.wordpress.com/2018/01/04/understanding-the-budget-impact-of-azure-networking-on-your-architecture/

AZURE

What to remember?

• Understand cost drivers

• Design accordingly

• Network is mostly <1% of the cost

AZURE If you are reading this…

You made it to the end!(without falling asleep)

AZURE

Surely there must be...

questions

… which I can answer for you!

http://feedback.expertslive.nl/

AZUREDo you want to gain more

knowledge about Microsoft

technology?

The Future Ready Skills program

offers online courseware, online

labs, live Q&A’s and expert

sessions, so you can acquire

your official Microsoft Certificate

in the most efficient way.

For more information:

aka.ms/frsblog

FUTURE READY

SKILLS

AZURE

Next Session 17:30 – 18:30

Windows 10 is not your Daddy’s Windows anymore… Security improvements in the last builds

Kim Oppalfens & Tom Degreef