Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

54
park the future. May 4 – 8, 2015 Chicago, IL

Transcript of Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Page 1: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Spark the future.

May 4 – 8, 2015Chicago, IL

Page 2: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

An Overview of Microsoft Azure New Networking CapabilitiesYousef KhalidiDistinguished EngineerMicrosoft Azure Networking

BRK2456

Page 3: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

What’s new at Ignite Virtual Networking

User Defined Routes Public IP address mobility Multiple load-balanced IPs

DNS Services Azure DNS – Domain hosting

Azure Resource Manager New network APIs, PowerShell New JSON-based templates

Network Virtual Appliances New partners and scenarios

ExpressRoute ExpressRoute Premium add-

on ExpressRoute for Office 365

VPN ExpressRoute coexistence New Standard Gateway

Page 4: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Hybrid

Hyper-scale

Enterprise

Grade

Page 5: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Azure compute regions

Hyper-scale Footprint

Page 6: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Azure compute regions

19Azure compute regions open todayMore than AWS and Google Cloud combined

Hyper-scale Footprint

Page 7: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Hyper-Growth

5.1T

AZURE STORAGE TRANS. IN MARCH 2015

50T

STORAGE OBJECTS IN AZURE

425M

AZURE ACTIVEDIRECTORY USERS

20M

SQL DATABASE HOURS USED EVERYDAY

-- Hyper-Scale

85 iXP

4400+ CONNECTIONS TO 1695 NETWORKS

1.4M

MILES OF FIBER IN OUR DATA CENTERS

4x

WRAP THE EARTH IN NORTH AMER FIBER

$15B

MICROSOFT CLOUD INVESTMENT

Page 8: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Internet users

■500,000,000+

■100,000,000 – 499,999,999

■50,000,000 – 99,999,999

■25,000,000 – 49,999,999

■5,000,000 – 24,999,999

■100,000 – 4,999,999

■50,000 – 999,999

■0 – 49,999

*Operated by 21Vianet

Microsoft’s network is one of the largest in the worldMicrosoft Azure datacenter regionsInternet connectivity by country

INDIA NORTHTBD

Page 9: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Classic vs. Hyper-scale networksLarge L2 Domains

HW-based Service

Simple Tree Design

L3 at all Layers

SoftwareService

Clos-based design

Diversity and manual provisioning

Complex hardware and lack of automated operations

High complexity and human error Resilient, automated monitoring and remediation, low human involvement

Simplify requirements, optimized design, and unify infrastructure

Automated provisioning, integrated processAgility

Efficiency

Availability

L3

L3

L2

LB/FW LB/FW LB/FW LB/FW

L2

Page 10: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Software-defined networking (SDN)

PhysicalTransport

Plane

Control Plane

ApplicationPlane

Switch

Controller

AzureFrontEnd

ManagementPlane

ControlPlane

Proprietary HardwareAppliance

Building the right abstractions to enable Scale and Agility

CommodityHardware

Abstract Management, Control, and Data planes

TenantCompose compute & storage roles and networks

Tell & ProgramInstead of Discover and react

Management

Create a tenant

ControlPlumb tenant ACLs to switches

Data Apply ACLs to these flows

Example: ACLs

Page 11: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Users

Internet

The Big (Network) PictureAzure

Virtual Network

Front-End Access

Dynamic/Reserved Public IP addresses

Direct VM access, ACLs for security

Load balancing

DNS services: hosting, traffic management

DDoS protection

Virtual Network

“Bring Your Own Network”

Segment with subnets and security groups

Control traffic flow with User Defined Routes

Backend Connectivity

Point-to-site for dev / test

VPN Gateways for secure site-to-site connectivity

ExpressRoute for private enterprise grade connectivity

Backend ConnectivityExpressRouteVPN Gateways

Page 12: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Internet Connectivity

Page 13: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

DNS Services

Traffic Manager

DNS

Azure DNSNew

Host your DNS domains in AzureIntegrate your Web and Domain hosting

Globally route user traffic with flexible policiesEnable best-of-class end to end user experience

Page 14: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Azure DNS Global footprint

Global footprint of DNS servers Anycast fast query

performance Ultra-available

New

Page 15: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Traffic Manager

www.contoso.com

Traffic Management Policies

Latency – Direct to “closest” serviceRound Robin – Distribute across all servicesFailover – Direct to “backup” if primary failsNested – Flexible multi-level policies

Page 16: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Internet IP Addresses & Load BalancingPublic IP Addresses in Azure

Can be used for instance (VM) level access or load balancing

Instance-level IPInternet IP assigned exclusively to a single VM Entire port range is accessible by defaultPrimarily for targeting a specific VM

Load balanced IP (VIP)Internet IP load balanced among one or more VM instancesAllows port redirectionPrimarily for load balanced, highly available, or auto-scale scenarios

Internet

IP1 IP2

VM1 VM2

LB

Microsoft Azure

151.2.3.4 (VIP)

131.3.3.3

(Instance-level IP)

131.3.4.4

(Instance-level IP)

Page 17: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Multiple Load-balanced IPs• Common use case: multiple SSL end points• Across one or more VMs

Internet

IP1

IP3

IP2

IP4

AZURE

LB

SSL Website 1

SSL Website 2

SSL Website 3

SSL Website 4

443

443

443

443

443

444

445

446

New

Page 18: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Reserved IPs•Retain your IP addresses

•IPs on existing services can be reserved

•IPs can be moved between services in seconds

Cloud Service 1 Cloud Service 2

Azure Load Balancer

New

Reserved IP Moves

Reserved IP

Internet

Page 19: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

DNS Names for Public IP FQDN access to a virtual

machine Available for virtual

machines and web/worker roles

Automatic DNS registration/de-registration during scale-up, scale-down

Internet

Webrole.1.contoso.cloudapp.net 130.26.5.120

VM Instance 1 VM Instance 2

Contoso App with 2 virtual machines

New

Webrole.0.contoso.cloudapp.net 130.26.10.80

Page 20: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Virtual Networks

Page 21: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Bring your own network

Create subnets with your private or public IP addresses

Bring your own DNS or use Azure-provided DNS

Secure with Network Security Group ACLs

Control traffic flow withUser Defined Routes

Virtual Network

Virtual Network

VPN GW

Frontend10.1/16

Mid-tier10.2/16

Backend10.3/16

Internet

On Premises10.0/16

VPN &ExpressRoute

AD / DNS

Azure

Direct InternetConnectivity

Page 22: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

User Defined Routes Control traffic flow in your

network with custom routes

Attach route tables to subnets

Specify next hop for any address prefix

Set default route to force tunnel all traffic to on-premises or appliance

Internet

Virtual Network

FrontEnd Subnet

BackEnd Subnet

SystemRoute

User Defined Route

Default Route

System Route

New

VM/Appliance

VM with “IP Forwarding”

Page 23: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Multiple NICs in Azure VMs Up to 16 NICs per VM

NSG and Routes on all NICs

Can separate frontend, backend, and management

Virtual Machine

NIC2 NIC1Defaul

t

Virtual Network

Frontend

Subnet

MgmtSubnet

BackendSubnet

Internet

10.2.2.22

10.3.3.33

10.1.1.11

VIP 133.44.55.

66

Update

Page 24: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Securing the Network

Page 25: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Layered Security, Protection, and Isolation

DDoSProtection

Virtual Networ

kIsolatio

n

NSGVM

Firewall

Cloud Services &

Virtual Machines InternetACLs

Page 26: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Network Security Groups Segment network to meet

security needs 5 tuple ACLs on both

directions Can protect Internet and

internal traffic Enables DMZ subnets Associated to subnets/VMs

and now NICs ACLs can be updated

independent of VMs Virtual Network

Backend10.3/16

Mid-tier10.2/16

Frontend10.1/16

VPN GW

Internet

On Premises 10.0/16

ExpressRouteand VPNs

√ √

√ √

Page 27: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Network Virtual Appliances

Page 28: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Overview VMs that perform specific network functions Focus: Security (Firewall, IDS , IPS), Router/VPN, ADC (Application

Delivery Controller), WAN Optimization Typically Linux or FreeBSD-based platforms

Scenarios IT Policy & Compliance – Consistency between on premises & Azure Supplement/complement Azure capabilities

Azure Marketplace Available through Azure Certified Program to ensure quality

and simplify deployment You can also bring your own appliance and license

Network Virtual Appliances

Page 29: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Azure Virtual Network

Virtual Appliances - Firewalls, IDS/IPS, VPNsSecure your virtual networks in Azure

DMZ

IDSIPS

Internet

Cross-premises connectivity

Page 30: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Frontend load balancing and delivery control

Scenario – Application Delivery Controller

Applications

Web Farms Internet

ADC & Load

Balancer

Virtual Network

Page 31: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Optimizing cross premises traffic

Scenario – WAN Optimization

CustomerOn Premises

Microsoft Azure

Compress/Optimize

Page 32: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Network Virtual Appliance Ecosystem

Page 33: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Cross premises connectivity

Page 34: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Connectivity Options and Hybrid OfferingsCloud Customer Segment and

workloads

Secure site-to-site VPN connectivity

• SMB, Enterprises• Connect to Azure

compute

Secure point-to-site connectivity

• Developers• POC Efforts• Small scale

deployments• Connect from

anywhere

ExpressRoute private connectivity

• SMB & Enterprises• Mission critical workloads• Backup/DR, media, HPC• Connect to Microsoft

services

Internet Connectivity

• Consumers• Access over public IP• DNS resolution• Connect from anywhere

Page 35: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

On-premises VPN Ecosystem

Page 36: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Cloud on your WANTraffic flows directly from customer WAN to MicrosoftReduces complexityLower latency, higher bandwidth and higher availability

Microsoft

WAN

Corp HQ

Branch office 1

Branch office 2

Public internet

Connectivity choices: Internet or Private

IPsec VPN over InternetEncrypted data traverses Internet to reach AzureLimited bandwidth and higher availability

Microsoft

WAN

Corp HQ

Branch office 1

Branch Office 2

Public internet

Page 37: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute

Microsoft

WAN

Corp HQ

Branch office 1

Branch office 2

Public internet

ExpressRoute provides a private, dedicated, high-throughput network

connection to Microsoft

Security

Lower cost

Predictable performance

High throughput

Page 38: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute Connectivity

Microsoft Edge

Customer’s network

Customer’sconnection

Partner Edge

Traffic to public IP addresses in Azure

Traffic to Virtual Networks

Traffic to Office 365 Services

Page 39: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute PartnersExchange Provider Network Service Provider

Exchange

Publicinternet

Customer site

Microsoft

Customer site 1

Customer site 2

Customer site 3

WANPublic

internet

Microsoft

Page 40: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute Sites and Partners

AtlantaChicagoChicago (Gov Cloud)*DallasLANYSeattleSilicon ValleyWashington DCWashington DC (Gov Cloud)*

Sao Paulo

AmsterdamDublin*London

Chennai*Hong KongMumbai*Melbourne*Osaka*SingaporeSydneyTokyo

Page 41: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute

ExpressRoute and S2S VPN CoexistenceS2S VPN as a backup for ExpressRoute

S2S connectivity to branch offices

Connecting Virtual Networks in other Azure regions

Contoso HQ

Exchange

AD/DNS

IIS ServersSQL Farm

Monitoring

Contoso virtual networks/VMs

Internet

NEW

Services on public IPs

VPN Gateway(Internet Edge)

Page 42: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute Premium Add OnNEW

Global connectivity Link a Virtual Network from any Azure Region to your ExpressRoute

circuit

More routes (IP prefixes) Supports up to 10,000 routes, increase from 4,000 routes

Connect more Virtual Networks Up to 100 virtual networks depending on bandwidth option

Page 43: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

ExpressRoute gateway or VPN gateway needed to access a virtual network

Introducing a new Standard Gateway Supports ExpressRoute and VPN coexistence Improved throughput for ExpressRoute

VPN Gateways for Virtual NetworkNEW

Virtual Network Gateway

SKU

ExpressRoute GW

Throughput

VPN GW ExpressRouteCoexistence

VPN GWThroughput

VPN GW Max IPsec

Tunnels

Cost (USD) / Hour

Basic 500 Mbps No 100 Mbps 10 $0.04

Standard 1000 Mbps Yes 100 Mbps 10 $0.19

Performance 2000 Mbps Yes 200 Mbps 30 $0.49

Note that ExpressRoute traffic for Azure public services, O365, and

Skype for Business does NOT go through a Virtual Network gateway

Page 44: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Office 365 Timelines and PartnersLaunch Partners

Other providers soon to follow

LocationsAll Microsoft Regions.

General AvailabilityQ3 CY 2015

Supported WorkloadsExchange Online & Exchange Online Protection

SharePoint Online, OneDrive for Business, Office 365 Video, Delve

Skype for Business Online (formerly Lync Online)

Office Online

Power BI and Project Online

Page 45: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Azure Resource Manager – a new way to provision services

Page 46: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Network Resource Provider• New REST API surface

• Loosely coupled network resource model

• Fine grained access/control of networking resource

• RBAC of networking resources

• Support for logging and tagging

• Highly performant & scalable

• Regional resiliency

• Imperative and declarative management style

NEW

StorageAccount

VirtualMachine

VMExtension

AvailabilitySet

VirtualNetwork

Subnet

NetworkInterfaceCard

PublicIPAddress

LoadBalancer

NetworkSecurityGroup

NetworkSecurityRule

TrafficManager VirtualNetworkGateway

Page 47: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Click To Deploy in Cloud Readily available

templates to Click and Deploy from GitHub

Rapidly customize and automate your build & deployment

Versatile management interfaces

REST API

PowerShell

Azure CLI

SDK(.NET, Node.JS, Java)

Azure Portal

NEW

Page 48: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Putting it all together

ExpressRoute

Infrastructure (protected)

Middle Tier (exposed to FE and Infra)

Front End – through firewalls

• User Defined Routes on subnets to direct flows to appliances

• Network Security Groups to secure subnets• Network Virtual Appliances for security, routing and

ADC• Secure cross-premises connectivity with

ExpressRoute and VPN Gateways

Site-to-site

VPN

Internet connectivity

Page 49: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Demo

Page 50: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Summary Azure Networking

New at Ignite User Defined Routes Public IP address mobility Multiple load-balanced IPs Azure DNS – Domain hosting New network APIs, PowerShell New JSON-based templates Network Virtual Appliances ExpressRoute Premium and

O365 VPN ExpressRoute

Coexistence

Enterprise-Ready Global Scale

Strong Partners

Complete Solutions

Page 51: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Learn more with FREE IT Pro Resources

Free technical training resources: On-demand online training: http://aka.ms/learnhybrid

Expand your Hybrid Infrastructure Knowledge

Free ebooks:Rethinking Enterprise Storage: A Hybrid Cloud Model: http://aka.ms/hybrid-storage-ebookMicrosoft Azure Essentials: Fundamentals of Azure: http://aka.ms/azure-fundamentals-ebook

Join the IT Pro community: Twitter @MS_ITPro

Page 52: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Ignite Azure Challenge Sweepstakes

Attend Azure sessions and activities, track your progress online, win raffle tickets for great prizes!

Aka.ms/MyAzureChallenge

Enter this session code online: BRK2456

NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9th, 2015. For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge

Page 53: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

Page 54: Hybrid Hyper-scale Enterpris e Grade Azure compute regions.

© 2015 Microsoft Corporation. All rights reserved.