Moving your Perimeter Network into AzureOrin Thomas@orinthomasorin@windowsitpro.com

DCI 306

Perimeter Network

Screened Subnet

Not exposed to Internet

Perimeter network Internal Network

Externalfirewall

Internalfirewall

Some exposureto Internet

Not exposed to Internet

Perimeter network Internal Network

Externalfirewall

Internalfirewall

Some exposureto Internet

This model isno longer relevant

This model isbroken

Workloads are increasingly virtualized.

This includes perimeter network workloads.

Assumes people “inside” the perimeter always have the

organisation’s best interests in mind

When servers were serversand virtualization was something

that happened on mainframes

Model worked in the 90’s

Assumes that computers and devices inside the perimeter have

not been compromised

Exposed to Internet

Not exposed to Internet

Perimeter network Internal Network

Externalfirewall

Internalfirewall

(Almost) assumes an “on prem” model of critical infrastructure

deployment

Also not relevant as more resources are being moved into

the cloud

Domain Isolation Policies

What was the goal of perimeter networks?

To host services that require exposure to the Internet and the

internal network

(Bastion Hosts)

Typical perimeter network workloads:• Proxy services

• Email gateway• Websites

• DNS• Remote access• Appliances

Hosts usually have public IP addresses

(unless NAT shenanigans)

Can’t virtualize everything (yet)

If you can’t virtualize it, you can’t move it to Azure

Significant savings in migrating workloads off perimeter network

into Azure

Not just about money:Simplify deploymentIncreased security

Increased availabilityEasy access to public IP address

Don’t have to migrate everything

to save money

First: Assess Perimeter Network Workloads

Easy to migrate

• Web sites / applications

• Email gateway• DNS

Difficult to migrate:

• Remote Access • Appliances• Proxy Servers

Azure as Perimeter Network

Some exposureto Internet

Not exposed to Internet

Azure Internal Network

Externalfirewall

Understanding Azure Public IP Addressing

Understanding Azure Endpoints

Understanding Host Level Firewalls

Understanding Azure Virtual Networks

Azure Point to Site VPN

Azure

Azure Site-to-Site VPN

Azure

Moving workloads to Azure

Virtualize Migrate

Azure

Manual Migration• Upload VHDs to Azure• Build workload in Azure and migrate

data

Automate Migration:Microsoft Migration Accelerator

for Azure

Can migrate the following to Azure:

• Physically deployed computers• VMware• Hyper-V• AWS

Automated migration:

• Automatically discover workloads from cloud

• Auto-provisioned target Azure VMs• Validate migrated workload in cloud

before cutover

Supports multi-tier applications

• Automatically migrate multi-tier production systems with application level consistency orchestrated across tiers

• Application startup order kept in place without requiring special configuration

Can discover Microsoft workloads

• Exchange• SQL Server• File Server• SharePoint• IIS

Use continuous replication to minimize cutover period

• MA for Azure supports full system replication including OS and application data

• Continuous replication and in-memory change tracking reduces cutover to minutes rather than hours

Migration Profiler

• Helps determine the size, activity and performance requirements of workloads

• Ensures correct Azure templates are being used prior to migration

• Monitors change rates, replication differential, asset health and more.

How it works

MA

Azure subscription

CS MT

PS

Workloads to migrate

MA

Azure subscription

CS MT

PS

Mobility Service agent installed on source servers.Performs real-time data capture and sync to target servers

Process Server (On Prem)

Azure subscription

MA

Server (physical or virtual). Manages communication Between agents and target VMs in Azure

Organizational Azure Subscription

MA

Azure subscription

CS MT

PS

Configuration Server (Azure VM)

MA

Azure subscription

CS MT

PS

Azure VM which manages communication between Master Target and Migration Accelerator (MA) Portal

Master Target(Azure VM)

MA

Azure subscription

CS MT

PS

Azure VM which hosts target for replicating disks of on-prem servers

MA Portal

MA

Azure subscription

CS MT

PS

Multitenant portal that can discover, configure protection,and migrate on-prem workloads to Azure

Migration Accelerator Support MatrixArea Limits

Operating Systems • Windows Server 2008 R2 SP1• Windows Server 2012• Windows Server 2012 R2

Platforms • Physical• VMware VM (ESX/ESXi/vSphere/vCenter 4.x or 5.x)• AWS• Hyper-V VM

OS Disk 127 GB

Data disks 16 disks, maximum 1 TB per data disk

Network Single VM NIC

Cluster No support for guest cluster (Azure has other HA options)

http://blogs.technet.com/b/srinathv/archive/2014/09/17/prerequisite-and-support-matrix-microsoft-migration-accelerator-for-azure.aspx

Deploying Migration Accelerator

1. Azure account2. Sign up for MA Preview3. Receive MA Portal URL, User ID & Password4. Install Configuration Server in Azure VM5. Install Master Target in Azure VM6. Install Process Server on-prem7. Register MA Account to Azure account8. Start on-prem resource discovery

• R

The Future• Virtual appliances designed for Hyper-V,

VMware, and AWS deployable to Azure• More roles supported in Azure

Related content

DCI 307 Getting Foxy with Azure IAAS

Track resources

Resource 1

Resource 2

Resource 3

Resource 4

Thanks! Don’t forget to complete your evaluations

aka.ms/mytechedmel