What’s New in Azure Networking

Yousef KhalidiDistinguished Engineer

Microsoft Corporation

CDP-B227

Internet ConnectivityTraffic Manager & DNSInternet Connectivity & Load Balancing

Virtual Network & Hybrid ConnectivityVirtual Network EnhancementsNetwork Security GroupsCross premises connectivity

Network Virtual AppliancesVirtual appliance platformDemos: Citrix & Riverbed virtual appliances

ExpressRoute

Agenda

Customer needs

AvailabilityPolicyEcosystem

Global presenceGlobal connectivityScale out

SeamlessPerformanceSecurity

EnterpriseGrade

HyperScale

Hybrid

The Big (Network) Picture

Internet Clients

On premises Datacenter

AzureVirtual Network

Frontend ConnectivityLoad-balanced and direct IPs

ACLs & DDoS protection

Traffic Manager & Azure DNS

Virtual NetworksFlexible multi-tier topologies

Backend ConnectivitySecure Internet cross premises VPN connectivity

ExpressRoute – direct connectivity

Internet connectivityTraffic Manager External EndpointsInstance Level Public IP (Preview)IP Reservation for VIPs

Intra-region communicationInternal Load BalancingIn-Region VNet to VNet

Cross-premises connectivityMultiple-Site VPNCross-Region Vnet to VnetExpressRoute

Previous TechEd NA Announcements

What’s New for TechEd EuropeInternet connectivity

Reverse DNS (PTR) SupportTraffic Manager Nested ProfilesInstance Level Public IP GASource IP-based AffinityTCP flow idle connection timeout

Virtual networkNetwork Security GroupPublic non-RFC1918 IPs in VNetILB for SQL Always On

Cross-premises connectivity

Forced Tunneling for IPsec VPNsExpressRoute Multi-Subscription Circuit SharingExpressRoute Multi-Circuit VNetHigh Performance VPN gatewayVPN/ExpressRoute Operation LogsIPsec VPN NULL encryption & PFS

Network Virtual Appliance

Multiple NICs per VMMAC persistence

NEW

Internet Connectivity

Traffic Manager: DNS-based Load Balancing

www.yourapp.com

Performance - Direct to “closest” service based on network latencyRound-robin - Distribute equally across all servicesFailover - Direct to “backup” service if primary fails

—also included in other policies

Load balancing policies

Enable richer profiles with greater flexibility for large/complex deployments

Traffic Manager Nested ProfilesNEW

Level 1: Route to user’s nearest Geo (US, EU, ASIA)

Level 2: Route to nearest Region, with cross-region failover within the Geo

Level 3: Load-balance within the region, divert 1% for flighting

US West US East Europe North Europe West

Cloud Services

Example: Cross-region failover within a Geo, plus in-region flighting

Instance-Level Public IP GAInternet IP assigned to a single VM

Entire port ranges are accessible

Support applications with dynamic public ports; e.g., FTP, multi-media

Ideal for workloads with heavy outbound connections

Instance level public IPs

Internet

VM1 VM2

Cloud service

Reserved VIP

LB Microsoft Azure

GA

151.2.3.4

131.3.3.3 131.4.4.4

Source IP-based AffinityAll connections from the same Internet client IP to the same backend server

2-tuple/3-tuple hash

ScenariosApplications that require multiple connections to the same serverExample: media streaming to establish control and data channel to same backend server

NEW

Azure Load Balancer

Client 1

Client 2

VM Server Instance 1

VM Server Instance 2

VIP

Client 3

Increasing Idle Connection TimeoutConfigurable connection

timeout to VIPs

Idle connection timeout as high as 30 minutes

Better experience for mobile clients connecting to Azure

LB

Client

Idle Connection Timeout increased up to 30 minutes

Traffic to the VIP

Server 1 Server 2

NEW

Virtual Network & Security

Network Security Groups (NSG)Enables network segmentation & DMZ scenarios Access Control List

Filter conditions with allow/deny

Individual addresses, address prefixes, wildcards

Associate with VMs or subnetsACLs can be updated independent of VMs

NEW

Virtual Network

Backend10.3/16

Mid-tier10.2/16

Frontend10.1/16

VPN GW

Internet

On Premises 10.0/16

S2SVPNs

Internet

√ √

√ √

Demo: Network Security Group

DMZ in a Virtual Network

Load Balancer

Internet

Web Proxy

App Servers

Database

VIRTUAL NETWORK

DMZ

InternalLoad

Balancer

DNS Servers

NSG

NSG

NSG

NSG

Virtual Appliance Platform & Ecosystem

Multiple NICs in Azure VMsMultiple NICs enable virtual appliances in Azure

MAC/IP addresses persist through VM life cycle

Separate frontend-backend traffic, and management-data planes

Up to 4 NICs per VM

Azure Virtual Machine

NIC2 NIC1Defaul

t

Azure Virtual Network

FrontendSubnet

AppSubnet

BackendSubnet

Internet

10.2.2.2210.2.3.33 10.2.1.11

VIP: 133.44.55.66

NEW

Bring Your Appliances to the CloudBuilding blocks

Multiple NICsMAC address persistence

Appliance ecosystemBarracuda NG FirewallCitrix NetScalerRiverbed Steelhead, SteelApp, SteelStoreMore to come!

“Azure Certified”

Citrix NetScaler & AzureJason PooleDirector PMM NetscalerCitrix

© 2014 Citrix. Confidential.22

Services AnywhereWork Anywhere

1010SSL101SSL

Ap

p S

tore

Networking & Cloud Infrastructure

Windows Desktops

Windows & Mobile Apps

Data Sync & Sharing

Collaboration & Support

© 2014 Citrix. Confidential.23

Infrastructure & ServicesMobile Workspace

1010SSL101SSL

Ap

p S

tore

Networking & Cloud Infrastructure

Windows Desktops

Windows & Mobile Apps

Data Sync & Sharing

Collaboration & Support

Data

Desktops Collaboration

Apps

Personal

© 2014 Citrix. Confidential.24

Performance Offload SecurityAvailability

Citrix NetScaler OverviewMaking Applications Run 5x Better

• World-class load balancing

• Global Server Load Balancing

• Caching

• Compression

• Optimization

• TCP Connection Management

• SSL processing

• SSL VPN

• Application firewall

NEW

© 2014 Citrix. Confidential.25

40%reduction in bytes

30%reduction in Requests

~100% Faster Page Load Time

Advanced Application Acceleration

© 2014 Citrix. Confidential.26

NetScaler Insight for Web App and Published App Visibility

© 2014 Citrix. Confidential.27

NetScaler Unified Gateway

Web Apps Mobile Apps SaaS/Cloud AppsC/S Apps

Optimized delivery andthreat protection

Granular visibility and control

Seamless authentication& authorization

© 2014 Citrix. Confidential.28

NetScaler for Azure

Same NetScaler binary

Supports new Azure multi-NIC

Different interfaces in different zones

Demo:Citrix Netscaler

Demo:WAN Optimization with Riverbed

Hybrid Networking Services

Microsoft Azure hybrid offerings

Cloud Customer Segment and workloads

Secure point-to-site connectivity

• Developers• POC Efforts• Small scale

deployments• Connect from

anywhere

Secure site-to-site VPN connectivity

• SMB, Enterprises• Connect to Azure

compute

ExpressRoute private connectivity

• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to all Azure

services

Forced Tunneling“Force” or redirect customer Internet-bound traffic to an on-premises site

Auditing & inspecting outbound traffic from Azure

Needed by many scenarios for critical security and IT policy requirements

NEW

Virtual Network

Backend10.3/16

Mid-tier10.2/16

Frontend10.1/16

VPN GW

Internet

On Premises

S2SVPNs

Forced Tunneledvia S2S VPN Internet

Gateway EnhancementsHigh Performance Gateway

Better throughputMore S2S tunnelsPricing

$0.49 per gateway hourData transfer & VNet traffic rates unchanged

No Encryption option

Better throughput for Vnet-to-Vnet within AzureIntra-/Inter-region Vnet-to-Vnet traffic stays within Microsoft networks, not Internet

PFS Support for IKE

Compliance requirements & better security

Operations LogsVisibility into critical gateway events

NEW

Gateway SKU

ExpressRoute Throughput*

S2S Throughput*

MaxTunnels

Default 500 Mbps 100 Mbps 10

Performance 1000 Mbps 200 Mbps 30

* Subject to traffic conditions and application behavior

Virtual Network VPN EcosystemNEW

ExpressRoute

Cloud on your WANTraffic flows directly from customer WAN to AzureReduces complexityProvides lower latency, higher bandwidth and greater availability

Azure

WAN

Corp HQ

Branch office 1

Branch office 2

Public internet

Customers want Azure on their network

IPsec VPN over InternetEncrypted data traverses Internet to reach AzureLimited bandwidth and higher availability

Azure

WAN

Corp HQ

Branch office 1

Branch Office 2

Public internet

ExpressRoute PartnersExchange Provider Network Service Provider

ExpressRoutepartner location

Publicinternet

Customer site

Microsoft Azure

Customer site 1

Customer site 2

Customer site 3

WANPublic

internet

Microsoft Azure

NEW

US• Atlanta• Chicago• Dallas• Los Angeles• New York• Seattle• Silicon Valley, CA• Washington D.C.

EMEA• Amsterdam• London, UK

APAC• Hong Kong• Singapore• Sydney• Tokyo

Locations

ExpressRoute Locations

• AT&T• British Telecom• Colt• Equinix• Internet Initiative Japan

(IIJ)• Level3• Orange• SingTel• Tata Communications• Telecity Group• Telstra• Verizon

Partners

Azure datacenters

ExpressRoute Locations (today)

New Locations and coming soon

Path Diversity for HA and DROne VNet can be linked to many circuits

Each circuit can be through different service providers in different locations

HA + DR = Active-active in 1 location + active-active in 2nd location

Aggregate Throughput determined by VNet Gateway size

North Europe

WestEurope

London Amsterdam

NEW

Sharing ExpressRoute ConnectionsShare an ExpressRoute circuit across other subscriptions

Circuit owner must authorize and can revoke

Owner gets billed for usageMicrosoft Azure

On-premises Network

Proxy / Interner edgeIIS Servers

AD / DNS

SQL Farm

Exchange

ExpressRoute

SQL DBStorage Websites

Marketing

AD / DNS

Monitoring

Sales

AD / DNS

R&D

AD / DNS

IT

AD / DNS

NEW

Enabling more enterprise scenarios

Enhanced network security, availability, performance, monitoring, and manageability

Expanded partnerships

Continued global expansion of ExpressRoute

In Summary

Breakout Sessions CDP-B229 Mark Russinovich and Mark Minasi on Cloud Computing CDP-B227 Introduction to Microsoft Azure Networking Technologies and What's New CDP-B333 Extending Your Network to Microsoft Azure Using ExpressRoute CDP-B209 Designing Hybrid Scenarios with Microsoft Azure CDP-B212 Microsoft Azure for Enterprises: What and Why CDP-B226 Introduction to Microsoft Azure Infrastructure-as-a-Service CDP-B356 What's New in Microsoft Azure IaaS and Roadmap CDP-B365 Hybrid Cloud Solutions with Microsoft Azure: For Architects

Hands On Labs CDP-H204 Introduction to Microsoft Azure Virtual Machines DBI-H308 Exploring Manual and Automatic Database Backup Using Microsoft Azure Storage in Microsoft SQL Server 2014

Related content

Come visit us in the Microsoft Solutions Experience (MSE)!Look for the Cloud and Datacenter Platform area TechExpo Hall 7

For more informationWindows Server Technical Previewhttp://technet.microsoft.com/library/dn765472.aspx

Windows Server

Microsoft Azure

Microsoft Azurehttp://azure.microsoft.com/en-us/

System Center

System Center Technical Previewhttp://technet.microsoft.com/en-us/library/hh546785.aspx

Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Azure

Implementing Microsoft Azure Infrastructure Solutions

Classroomtraining

Exams

+

(Coming soon)Microsoft Azure Fundamentals

Developing Microsoft Azure Solutions

MOC

10979

Implementing Microsoft Azure Infrastructure Solutions

Onlinetraining

(Coming soon)Architecting Microsoft Azure Solutions

(Coming soon)Architecting Microsoft Azure Solutions

Developing Microsoft Azure Solutions

(Coming soon)Microsoft Azure Fundamentals

http://bit.ly/Azure-Cert

http://bit.ly/Azure-MVA

http://bit.ly/Azure-Train

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

2 5 5MOC

20532

MOC

20533

EXAM

532EXAM

533EXAM

534

MVA MVA

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.