Windows Azure Virtual Networks
Agenda
• Endpoints and Connectivity • DNS and Name Resolution• Virtual Networks• How Do I Setup Virtual
Networks• Virtual Networks V1
Feature Set
Endpoints and Connectivity
Overview: Connectivity in Azure
LB
VIP: Input Endpoint
Internal Endpoint
Load balanced endpoint. Stable VIP per cloud service.Single port per endpointSupported protocols: HTTP, HTTPS, TCP
Input Endpoint
Instance-to-instance communicationSupported Protocols: TCP, UDPPort ranges supportedCommunication boundary = Deployment boundary
Internal Endpoint
foo.cloudapp.net VIP
Overview: Connectivity in Azure
LB
Load balanced Input Endpoint
Internal Endpoints
Single Input Endpoint
Port Forwarding Input Endpoints
PORT 3389PORT 5586
PORT 5587
Single Public IP Per Cloud Service
Cloud App / Hosted Service
EndpointPublic PortLocal PortProtocol (TCP/UDP)Name
PORT 3389
Load Balancer: Default Health Probe
LB
VM VM
AzureAgent
CustomerApplication
AzureAgent
CustomerApplication
Role Status Role Status
Load Balancer: Custom Health Probe
LB
VM VM
AzureAgent
CustomerApplication
AzureAgent
CustomerApplication
Role Status Role Status
Hybrid solutions in Windows Azure
Secure Site-to-Site Network Connectivity
Windows Azure Virtual Network
CLOUD ENTERPRISE
Data SynchronizationSQL Data Sync
Application-Layer Connectivity &
Messaging Service BusSecure Machine-to-
Machine ConnectivityWindows Azure Connect
DNS and Name Resolution
DNS ScenariosWindows Azure DNS Scenarios Use your own DNS Scenarios
A. Client-server applications using VMs B. Hybrid connectivity with on-premise (DNS on-premise)
C. SharePoint with custom DNS (VM)
VM
SQL Reporting Service
VM
SQL Analysis Service
VM
SQL Service
On-Premises Machine
Active Directory
Active Directory
SQL ServiceDomain joined to On-
Premises Network
On-Premises Machine
Business Components &
Entities
On-Premises Machine
UI Process Components
Web Tier
Active Directory
Internet VM Role
SharePoint FrontEnd
VM Role
SharePoint FrontEnd
VM Role
Search and Indes
SQL Service
VM Role
DC DNS
VM Role
VM Role
SQL
VM Role
SQL
Local DNS
SQ
L Mirro
ring
LB
Open User Access
(Website)
Windows Azure provided DNS
TestVM2TestVM1
Who is TestVM2?
Who is TestVM2?
10.1.1.1Who is TestVM2?
Virtual Networks
Virtual Network ScenariosHybrid Public/Private Cloud• Enterprise app in Windows Azure requiring connectivity to on-premise resources
Enterprise Identity and Access Control• Manage identity and access control with on-premise resources
(on-premises Active Directory)
Monitoring and Management• Remote monitoring and trouble-shooting of resources
running in Windows Azure
Advanced Connectivity Requirements• Cloud deployments requiring IP addresses
and direct connectivity across services
Does Your App Need a Virtual Network? IP Address Requirements• Virtual Machines deployed into a virtual network have an
infinite DHCP lease
Hybrid On-Premises Cloud Apps• Requirement for connectivity between your data center
and the public cloud
Connectivity between cloud services• Deploying Active Directory in the Cloud or connecting a
PaaS to IaaS Service
Corpnet
Subnet 2
Subnet 1
Corpnet
Windows Azure Virtual NetworkYour “virtual” branch office / datacenter in the cloud• Enables customers to extend their Enterprise
Networks into Windows Azure
• Networking on-ramp for migrating existing apps
and services to Windows Azure• Enables “hybrid” apps that span
cloud/premises
A protected private virtual network in the cloud• Enables customers to setup secure private IPv4
networks fully contained within Windows Azure• IP address persistence• Inter-service DIP-to-DIP communication
Subnet 2
Subnet 1
The Branch Office
The Corp. HQ
IIS Servers
AD / DNS
SQL Servers
Exchange
The “virtual” branch office
The Virtual Network
in Windows AzureS2S VPN Device
S2S VPN Device
S2S VPN tunnel
BRK Gateway
S2S VPN tunnel
Virtual Network FeaturesCustomer-managed private virtual networks within Windows Azure• “Bring your own IPv4 addresses”• Control over placement of Windows Azure Roles within the network• Stable IPv4 addresses for VMs
Hosted VPN Gateway enables site-to-site connectivity• Automated provisioning & management• Support existing on-premises VPN devices
Use on-premise DNS servers for name resolution• Enables customers to use their on-premise DNS servers for name resolution• Enables VMs running in Windows Azure to be joined to corporate domains running
on-premise (use your on-premise Active Directory)
Example: Contoso’s Deployment
The Corp. HQ (10.0.0.0/16)
Contoso Test in Windows Azure
(10.2.0.0/16)
Contoso Production VNet in Windows Azure (10.1.0.0/16)
S2S VPN Device
IIS Servers
AD / DNS
SQL Farm
ExchangeBRK Gateway
S2S VPN tunnels10.0.0.1010.0.0.11
131.57.23.120
10.2.2.0/24
10.2.3.0/24
10.2.2.0/24
10.2.3.0/24
65.52.249.2210.1.0.4 10.1.1.4
VM Role
Mixed Mode with VNet
VM Role
VM Role
VM Role
Business Components &
Entities
Business Components &
Entities
Disk
Disk SQL
SQL
SQ
L M
irro
ring
WebRole
WebRole
LB
How Do I Setup Virtual Networks?
Configuring Virtual Networks
DNS1 10.0.0.20
DNS2 10.0.0.21
Cisco ASA GW131.57.23.45
IT Admin
Network Admin
ContosoVNet (10.1.0.0/16) MyAffinityGroup
FrontEnd Subnet
(10.1.1.0/24)
SQLSubnet (10.1.3.0/24)
ADSubnet (10.1.2.0/24)
BESubnet (10.1.4.0/24)
SQLSubnet (10.1.3.0/24)
GW IP65.57.23.45
Windows Azure Portal (API)
CorpOffice
Network configuratio
n
Deployment package
ContosoCorpOffice (10.0.0.0/16)
Demo
Deploying a Hybrid Network
Virtual Networks V1 Feature Set
Supported VPN Device ListCiscoPlatform OS Family Examples
ASA 5500 Series (Adaptive Security Appliances)
ASA Software 8.4+
5505, 5550
ASR 1000 Series Aggregation Services Routers
IOS XE 2.1+ 1002
ISR Series Integrated Services Routers
IOS 12.2+ 2801, 2901, 2911
JuniperPlatform OS Family Examples
SRX Series Routers JunOS 10.2+ 210, 650
J Series Routers JunOS 9.4+ 4350
ISG Series Routers ScreenOS 6.2+ SX2
SSG Series Routers ScreenOS 6.2+ 550
Generic VPN devices must support:• IKE v1• AES 128, 256• SHA1, SHA2Add URL to public list
Note on GW redundancy and availabilityOnly single IPsec tunnel supported per Virtual NetworkGateway tenant on Azure side has 2 instances (active-passive mode)Only one public IP address for tunnel establishmentA pair of VPN devices can be a redundant pair using industry standard protocols• HSRP• VRRP
Limits (for V1 release)
Subscription Limits• One Network Configuration per
subscription• Up to 5 VNets and 5 sites per
subscription• One VNet per Affinity Group• Up to 9 DNS Servers per subscription
Virtual Network Site• Can use addresses defined in
RFC1918• Can connect to only one site• No limit on subnets
Local Network Site• Public and Private IP addresses allowed• Only one gateway IP per site
Gateway• One GW tenant per Vnet (managed by
the Windows Azure)• Only one active tunnel between site
and VNet
No address space overlaps
Limitations of V1 offering
Virtual Network• Only IPv4 addresses allowed• No support for MCAST / BRCAST• No support for BYO MAC address• No support for assigning static IP
addresses for VMs• No active routing support (BGP)• No support for forced tunneling• No dynamic updates to virtual
network address space
Cross-prem connectivity• No support for IKE v2• No support for cert. based auth.• No support for 2-factor auth.• No support for software-based VPN
solutions
The DifferencesNetworks in customers’ premises• Customers have full control L2 and up• MAC address specification and VLANS
supported• Static and DHCP address assignments
supported• MCAST, BRCAST supported• Routing has to be configured explicitly• Trust boundary = VLAN boundary• Several modes of VPN connectivity
supported (SSL, IPsec, …)• WAN optimizers can be used to optimize
cross-premise connectivity over the network
Virtual Networks in Windows Azure• Customers can specify only some L3
properties• No support for MAC and VLANs• Only Azure-managed DHCP address
assignments• No support for MCAST and BRCAST• Routing is implicit• Trust boundary = VNet boundary• Only IPsec with IKEv1 supported• No support for WAN Optimizers
Summary Of Networking Features
Supported protocols: HTTP, HTTPS, TCP, UDPLoadbalancing for virtual machinesCustom load balancer probes
Input Endpoint
Windows Azure Traffic Manager
Windows Azure DNS service for service-level name resolutionRuntime APIs for instance identificationWindows Azure-provided DNS service for service-level name resolutionWindows Azure-provided DNS for VM-level name resolutionUsing your DNS servers for name resolution
Name Resolution
Instance-to-instance communicationSupported Protocols: TCP, UDP, ANY IP based protocol
Internal Endpoint
Windows Azure Virtual Network for Hybrid scenarios
LB
VIP Input Endpoint
Internal Endpoints
ResourcesTechNet Evaluation CenterDownload Microsoft software trials today.technet.microsoft.com/evalcenter
Microsoft Virtual AcademyTake a free, online course.microsoftvirtualacademy.com
IT CampsFind an additional IT Camp near you.technet.microsoft.com/globalitcamps
Microsoft CertificationsGet certified on Microsoft Products & Technologies.aka.ms/certifications
TechNet EdgeGet weekly Microsoft news and watch technical video interviews with the product teams for IT Prosedge.technet.com
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Top Related