Azure IaaSdownload.microsoft.com/.../4-1.MicrosoftAzureKoreaLive.pdf · 2018-10-13 · SQL Data...
Transcript of Azure IaaSdownload.microsoft.com/.../4-1.MicrosoftAzureKoreaLive.pdf · 2018-10-13 · SQL Data...
Azure IaaS 네트워크
아키텍처머리부터발끝까지
Pyungrae Cho
Premier Field Engineer
Microsoft Korea
Virtual Machine 보다 Virtual Network 을 먼저!!!
Network 부터 만들자!!!
어떻게 만들까?
On-Premise Network Azure Network
Infrastructure Services
What is Azure?
Platform ServicesSecurity & Management
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
Azure ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQL DataWarehouse
Azure AD Connect Health
Azure AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
Infrastructure Services
What is Azure?
Platform ServicesSecurity & Management
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
Azure ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQL DataWarehouse
Azure AD Connect Health
Azure AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
7
Networking
VNet 에서 시작하자
• 논리적격리 (Router = VNet)
• 공용환경에서안정성보장
• VNet 간모든통신불가
• 별도허용구성필요
• 다중서브넷사용가능
• 같은 VNet 내 Subnet 간모든통신허용
• 별도차단구성필요
Virtual Network
VNet 0
On-Premise (Router) VNet 1
Virtual Network
VNet 을 연결하자
Virtual Network Connectivity
Virtual Network Gateway
• VNet to On-premises 또는 VNet to VNet 을 연결해 주는 가상 장치
• Virtual Gateway Size
• Virtual Gateway Type (VPN, ExpressRoute)
Size Type Co-existGateway Throughput
VPN Gateway Max TunnelsExpressRoute VPN
Basic No 500 Mbps 100 Mbps 10
Standard Yes 1000 Mbps 100 Mbps 10
Performance Yes 2000 Mbps 200 Mbps 30
Point-to-Site
• 공용 인터넷 으로 On-Premise 특정 Clients ↔ VNet 연결
• 인증서 기반 VPN 터널을 통한 보안 연결
Microsoft Confidential
Root CertClient Cert
Point-to-Site
Site-to-Site (VPN)
• 공용 인터넷 으로 On-Premise Network ↔ VNet 연결
• IPsec/IKE(IKEv1 또는 IKEv2) VPN 터널을 통한 보안 연결
• 단일 또는 멀티 사이트 연결 가능
Microsoft Confidential
On-premises
Your datacenter
Hardware VPN or Windows RRAS
Windows Azure
Virtual Network
<subnet 1> <subnet 2> <subnet 3>
DNS Server
VPN Gateway
Site-to-Site (VPN)
Site-to-Site (VPN)
• Validated VPN Devices
https://docs.microsoft.com/ko-kr/azure/vpn-gateway/vpn-gateway-about-vpn-devices
ExpressRoute circuit
• 전용 회선 으로 On-Premise Network ↔ VNet 연결• Seoul (KINX, Sejong Telecom)
• Busan (LG CNS+, Sejong Telecom)
• ExpressRoute Size (Standard, Premium)
• Billing Model (Unlimited, Metered)
BandwidthNumber of VNet Links
Standard Premium
50 Mbps 10 20
100 Mbps 10 25
200 Mbps 10 25
500 Mbps 10 40
1 Gbps 10 50
2 Gbps 10 60
5 Gbps 10 75
10 Gbps 10 100
Site-to-Site (ExpressRoute)
Site-to-Site (ExpressRoute)
• Router configuration
https://docs.microsoft.com/ko-kr/azure/expressroute/expressroute-config-samples-routing
https://docs.microsoft.com/ko-kr/azure/expressroute/expressroute-config-samples-nat
https://docs.microsoft.com/en-us/azure/expressroute/expressroute-locations
Site-to-Site (Coexistence)
• ExpressRoute 와 VPN을 이용하여 다중 사이트를 연결 (On-Premise 규모 고려)
Site-to-Site (Failover)
• ExpressRoute 와 VPN을 Dual 구성하여 Network 회선에 대한 장애 조치 구성 가능
VNet-to-VNet
• 동일한 또는 서로 다른 Region에 위치한 VNet ↔ VNet 연결
• IPsec/IKE(IKEv1 또는 IKEv2) VPN 터널을 통한 보안 연결
• 단일 또는 멀티 VNet 연결 가능
VNet Peering
• 별도 Gateway 구성 없이 VNet 사이 Private IP 로 통신 가능
• Low-Latency, High-Bandwidth
• 하지만,,, 동일한 Azure Region 에서만 사용 가능
VNet Peering (Hub and Spoke)
Network을 제어하자
Layered Security on Azure
NSG
Network Security Groups
• Azure 가 제공하는 Firewall
• InBound, OutBound,
• Priority
• Source IP/Port, Destination IP/Port, Protocol
• Allow, Deny
• ACL 제어• Single VM
• Single Subnet
• Both Single VM and Single Subnet
※ Not VM Windows Firewall
• 활용• Internet 및 Intranet(VNet) 트래픽 통제
• Support DMZ Zone
Network Security Groups (Rules)
• Inbound & Outbound, Allow & Deny
• Default Rules
Demo : Deploy VNet, Subnet and NSGFor Powershell
Network을 분산하자
Load Balancer
• 정의된서비스(Web, DB, Application …)를운영중인여러 Instance 들간에
들어오는트래픽을분산하고장애조치하는서비스, 즉 L4 스위치 = Load Balancer
• Frontend = Public IP, Backend = VM
Load Balancer (Type)
• Internet Load Balancer
• Public IP, 인터넷 환경에서
들어오는 트래픽 분산
• Internal Load Balancer
• Private IP, 클라우드 내부 및
VPN을 통한 네트워크에서
들어오는 트래픽 분산
Microsoft Confidential
DNS
DNS
• DNS 도메인을 Azure에 호스팅하여 사용
Microsoft Confidential
Traffic Manager
• DNS 트래픽 에 대한 밸런싱을 위해 Traffic Manager를 사용
Microsoft Confidential
Traffic Manager (Work)
Microsoft Confidential
Traffic Manager (Routing Method)
• Priority : 정해진 우선 순위로 라우팅, 동일한 우선 순위는 불가
• Weight : 가중치를 기준으로 라우팅, 동일한 가중치는 트래픽 균등 분산
• Performance : 응답속도를 기준으로 라우팅
Demo : DNS & Load Balancer
Thank you