Architect to Architect Tr a i n i

Architect to Architect Tr a i n i

Architect to Architect Tr a i n i n g & P r a c t i c e B u i l d i n g f o r S o l u t i o n A r c h i t e c t s Azure Enterprise Governance & Security Designs Mohamed Sharaf Agenda Subscription Design & management Resource Groups Access Control, Billing, and Usage Subscription governance Policies & Activity log alert Azure Networking overview Architect to Architect Subscription Design Management Portals Enterprise Portal (https://ea.azure.com/ Manage access Manage accounts

Manage subscriptions View price sheet View usage summary Manage usage & lifecycle email notifications Manage Authentication Types Manage Market place access Account Portal (https://account.windowsazure.c om Edit subscription details Enroll in or enable Preview features Management Portal (https://manage.windowsazure. com or https://portal.azure.com Provision/de-provision Azure services Manage co-administrators on subscriptions

Open support tickets for issues within the subscription Enterprise Azure Roles and Portals https://ea.windowsazure.com Enterprise Administrator Enterprise Enrollment Department Administrator Department Department https://account.windowsazure.com Account Owner Account Account Account https://portal.azure.com Service Administrator Subscription

Subscription Subscription Subscription What is an Azure Subscription? Governs the following: Billing relationship (billing APIs supports now EE level) Account administration Role Based Access Control (RBAC) to artifacts Boundaries/Limits Boundaries Limits Virtual Network Attached to 1 AAD (1 AAD be associated with many subscriptions) Associated to an enterprise enrollment account Enterprise Dev/Test subscription Done by marking the account as Dev/Test Even Better rates for VMs, HDInsight, Cloud Services, and

Websites because theres no license cost All usage consumes Azure Monetary Commitment funds Exclusive Gallery images, like Windows 7 / 8.x / 10 client Dev/test use only and no SLA Should be created by a user who has msdn subscription Can convert a normal subscription to Dev/test subscription Account Setup Methodology Functional Business Division Geographic Enterprise Enterprise Enterprise Finance Marketing Automotiv e

Life Sciences North America Europe Accounts Subscription 1 Subscription 2 Subscription 3 Subscription 4 Subscription 5 Subscription 6 Subscription 7 Subscription 8 Subscription 9

Subscription Considerations Management approach Security requirements Single team or crossorganization al Role Based Access Control (RBAC) Data or network security Environment s - Sandbox, Dev, Test, UAT, PreProd, Prod Connectivity requirements Single point of ingress? Multiple

regions? Application requirements Compliance Subscription Limits Default limits are soft-limits as safety for the customer Change them from the portal (Subscriptions Usage + quotas) Fill the form and will increase immediately Subscription Limits (subset) Azure Resource Resource Manager API (Default limit/Maximum limit) VMs per subscription 10,000/10,000 per region Cores per subscription 20/10,000 per region Storage accounts per

subscription Managed Disks Virtual networks per subscription Local networks per subscription Network Security Groups 100/250 (support approval required) 10,000 per subscription per storage type 50/1000 10/500 100/5000 Public IP addresses (dynamic) 60/Contact Support Reserved public IP addresses 20/Contact support Resource Groups per subscription 800/800 https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits Suggested subscription topology

EE Central IT Departme nt Business Unit 02 Business Unit 01 BU02 Acct BU01 Acct Central IT Prod Central IT Dev/Test BU02 Subscripti on BU01 Subscripti

on Central IT Subscripti on Dev/Test Subscripti on Architect to Architect Subscription Management How do I manage an Azure Subscription? Service Manager Roles Resource Manager Roles Account types Account administrator (create, cancel, billing) Service administrator (Same as account admin) Co-Administrator (Cant change Azure AD, billing, create, etc.) Role based access via assignment Personal (Microsoft Accounts)

Organizational Accounts (Azure AD) O365/Intune/CRM/ EMS Azure AD created Can add additional services/subscriptions As a Partner Partner manages (On behalf of) Partner pays for (service provider model) How do I mange someone else's ARM subscription? Transfer Add as a co-owner User Id/app Id in subscription (service administrator) User id/app Id in resource group Subscriptions operations Each subscription trusts only one Azure AD Subscriptions in the same Enterprise Enrollment can trust different AD

Change the AD trust Cancel subscription Data is retained for 90 days before its permanently deleted. Contact support for Subscriptions can be reactivated during these 90 days and data is restored Resource Groups Logical group for Azure resources Azure portal (portal.azure.com) can only work with Azure Resource Manager APIs Any resource has to have a resource group You can deploy and manage resources as one group Can deploy using programing syntax or declarative syntax Architect to Architect Demo Manage subscriptions using Portal , PowerShell

& Azure CLI Architect to Architect Access Control, Billing, and Usage 2 generations of Azure Azure Service Management (ASM) https:// manage.windowsazure.com No Role Based Access Control Not available in CSP Azure Resource Manager (ARM) https://portal.azure.com Resource Groups & Tags Role Based Access Control Role Based Access Control (RBAC) Allows secure access with granular permissions Assignable to users,

groups, or service principals Built-in roles make it easy to get started OTE RBAC in ARM applies to resources exposed via ARM. Software inside of VMs hich may have its own security mechanisms and should be considered during design. Role Based Access Control (RBAC) Role Based Access Control (RBAC) Can get the effective permissions per Subscription, Resource Group or resource Can get effective permissions per user Using portal, PS or Azure CLI 68 built-in roles * All RBAC assignments are tracked in Azure Activity Log Custom RBAC Custom roles if the built-in roles are not

appropriate Can be created by PS, CLI or REST API Can create up to 2000 custom roles per tenant Can assign operations or exclude operations Excluded operations are not denying the action. Custom RBAC Get-AzureRmProviderOperation shows the operations of Azure Resource Providers Get-AzureRmRoleDefinition shows the builtin or custom roles definitions Export a built-in role and then customize it. New-AzureRmRoleDefinition InputFile Mapping teams to RBAC examples Teams Storage Administrator Built-in Role Storage Account Contributor

Network Operator Network Engineer Network Contributor - permissions Network Contributor Platform Operator Platform Engineer Security Engineer Custom Role Virtual Machine Contributor permission Virtual Machine Contributor Security Admin + Security Manager Architect to Architect Demo RBAC Resource Tags Name-value pairs

assigned to resources or resource groups Subscription-wide Each resource can have up to 15 tags Name <=512 | Value <=256 No inheritance Not for Classic (ASM resources) x15 Resource Tags Tags can by applied in ARM templates, PowerShell, Azure CLI but NOT in the creation wizard in the portal Tagging Tips Tag by environment, e.g. dev/

test/prod Tag by role, e.g. web/cache/db Tag by department, e.g. finance/retail/legal Tag by responsible party, e.g. Bob From EA portal, you can get billing excel sheets with the x15 Demo Architecture IO C Virtual Machine Contributor e od Resource Group Availability Set ne

i h ac ype M T ne i h ac ype M T VM0 VM1 Storage Virtual Network Network interface Network interface Load balancer Billing APIs

Balance and Summary (monthly) Usage Details (daily, export to CSV) Marketplace Store Charge Price Sheet Billing Periods Azure Cost Management Former Cloudyn offering Free for enterprise customers till June 2018 Architect to Architect Demo RBAC and Tagging Azure Resource Manager Policies Establish conventions Policy definition parameters display name description policy rule

logical evaluation Effect Policy assignment Subscription Resource Group Azure Resource Manager Policies: Scenarios Chargeback: Require departmental tags Geo Compliance: Ensure resource locations Service Catalogue: Select your service catalog Convention: Enforce naming & tags Combine ARM Policies with Activity Log Alerts to cover all requirements Azure Resource Manager Policesexamples Architect to Architect Demo

ARM policies Architect to Architect Azure Monitor Azure Monitor One stop built-in monitoring for Azure on multiple levels Doesnt use a separate agent Azure Monitor Has many sources Activity log Diagnostics logs, Application logs and Matrices Performance counters Application Logs Windows Event Logs .NET Event Source

IIS Logs Manifest based ETW Crash Dumps Customer Error Logs Integrate with Log Analytics, Event Hubs & storage accounts Azure Monitor Can create alerts based on matrices or Activity Log Alerts delver immediate SMS/email or webhook Activity log alerts use cases When creating certain type of resoruces When Altering the state of important resources When important resource restarts or change Architect to Architect Naming Conventions in Azure

Naming Conventions Importance Consideration Describes type of resource in the subscription. Places the naming pattern in an order that allows easier application level grouping for potential showback/chargeback billing. Automation. Some resource names are: Constrained unique across entire Azure. Constrained by length. Constrained to alphanumeric. Constrained unique within account Cannot include upper case characters. Cannot contain offensive or forbidden substrings. Requirements

Ensure: Unique Azure naming Case sensitivity requirements Application association Environment association Region association Instance association Object association Azure Naming Constraints Examples Some resource names are constrained-Must be globally unique across Azure e.g., SQL Server Name, Storage Account Names, etc. Some resource names are constrained by length e.g., Search Service is constrained 2 to 15 characters Some resource names are constrained to alpha-numeric e.g., Storage Account Name cannot have dash, dots, etc. Some resource names must be unique within the subscription e.g., Storage Table Name must be unique within Azure storage account

Some resource names cannot be upper characters e.g., Storage account names must be all lower case Architect to Architect Subscription Governance summary Subscription Design Guidance (General) Work or School Accounts not Microsoft Accounts Use organizational accounts to sign-up and manage Azure. Connect your Azure AD with on-prem AD. Resource Groups not Subscriptions Use resource groups to segregate workloads with different access needs. Avoid granting access to individual resources unless necessary. Manage Access using Groups

Assign access to AD groups, manage membership of groups for ongoing access management. Enable Multi-Factor Auth Use Azure AD conditional access policies to enable MFA for Azure management. Least Privilege Pick the right role for the job. Contributor not Owner. Model on- Subscription Design Guidance (General) Keep a tab on Access Changes Monitor changes to access settings. Regularly dump and review entire access policy. Control # of subscriptions. Start with 3 (1 Business Unite/function, 1 IT, 1 Dev) Identity Management Use Customer Azure Active Directory for Azure Governance roles Add at least one more Enterprise Administrator Use Functional Accounts not Named Accounts for Roles. Specially for Account Owners and Service Administrators Security and Identity If the subscription includes Azure Active Directory, IaaS Domain Controllers, or connects to Domain Controllers from an on-premises active directory, the Subscription administrators and Co-administrators are de-facto domain owners as well.

Scale Subscription Design Guidance (Networking) Connectivity The subscription is a required container to hold a virtual network, and oftentimes networking is a shared resource within an enterprise VLANs do NOT span subscriptions Express Route Minimize #subscriptions (take network requirements and ER boundaries into account) 10 virtual networks can be attached to a single ExpressRoute standard circuit, so at most 10 subscriptions could be attached to that circuit (Premium varies from 20-100) Architect to Architect Network Isolation Virtual Network Isolated, logical network providing connectivity for Azure Virtual Machines User-defined address space (can be one or more IP ranges, not

3. Internet necessarily RFC1918) 1. Connectivity for VMs in the same VNet 2. Connectivity to external networks/on-prem DCs Internet 3. Internet connectivity (outbound allowed by default, inbound blocked) 2. On Prem Name: VNet1 Address space: 10.57.0.0/16, 10.66.0.0/24 VM 1. Intra-VNET VM Subnet (think of a VLAN) IP subnet Provides full layer-3 semantics and partial layer-2

semantics (DHCP, ARP, no broadcast/multicast) Subnets can span only one range of contigous IP addresses Name: VNet1 VMs can be deployed only to subnets (not VNets) Address space: 10.57.0.0/16, 10.66.0.0/24 Subnet2 10.66.0.0/24 Subnet1 10.57.1.0/24 VM1 VM3 VM2 VM4 VM6 VM5 VM7 Network Interface Static assignment

DHCP assigns always the same IP IP forwarding Required for Network Virtual Appliance use cases Public IP NAT address NIC Assignment=static/dynamic IP Forwarding=yes/no Public IP= IpConfiguration Attached to Subnet Virtual NIC connects VMs to Subnets One or more private IP address (private in the subnets IP range, not necessarily RFC1918) Private IP address always assigned via Azure Dynamic assignment DHCP assigns new IP when VM

Virtual machine DHCP is restarted Private IP DIP Switching/Routing in Azure VNets A VNet provides a switching/routing functionality that allows VMs to talk to each other Name: VNet2 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM1 VM3 VM2 Subnet2 10.57.2.0/ 25 VM4

VM5 VM6 Switch/Routing (Azure VM Switch) Please note that, in an Azure VNet, Please note that, in an Azure VNet, packets can flow between to different packets can flow between to different subnets without explicitly traversing any subnets without explicitly traversing any layer-3 device. Azures network layer-3 device. Azures network virtualization stack effectively works as a virtualization stack effectively works as a layer-3 switch layer-3 switch Network Security Groups (NSGs) List of port-based security rules Assigned to subnets or NIC Azure Connectivity Options and Hybrid Offerings Segment and Cloud Customer

workloads Internet Connectivity Secure point-to-site connectivity Secure site-to-site VPN connectivity ExpressRoute private connectivity Consumers Access over public IP DNS resolution Connect from anywhere Developers POC Efforts Small scale deployments Connect from

anywhere SMB, Enterprises Connect to Azure compute SMB & Enterprises Mission critical workloads Backup/DR, media, HPC Connect to all Azure services Virtual Network Gateway Virtual layer-3 device that routes traffic to remote networks Name: VNet1 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM1

VM3 VM2 Subnet2 10.57.2.0/ 25 VM4 VM5 VM6 GatewaySubnet 10.57.3.0/27 Virtual Network Gateway Virtual device attached to an Switch/router (Azure VM Switch) Azure VNet (similar to VMs) Always provisioned in a

reserved subnet named GatewaySubnet Highly available service The GatewaySubnet is part of the VNets address space (/27 or bigger) Each Gateway is associated to a public IP address (via Azure Load Balancer) Two types of Gateways (VPN & Express Route) and you ExpressRoute is dedicated connectivity Internet Customer Network Customer Datacenter ExpressRoute Microsoft Network Azure

Datacenter Azure Datacenter Office 365 Datacenter Azure Intra-Cloud Connectivity Options Cloud Typical Scenario VNet to VNet via VPN Used to connect VNets in multiple Azure Regions Supports transit routing with BGP-enabled VPNs Virtual Network Peering Combined with VPN and ExpressRoute for transit VNet Peering within a region

wire speed throughput VNet to VNet via ExpressRoute ExpressRoute connectivity allows for VNet to VNet connectivity over the Microsoft Backbone VNet to VNet via VPN VNets can be connected with each other via IPSec tunnels Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM1 VM3 VM2

Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet 10.57.3.0/27 Gateway Subnet 10.6.3.0/27 Subnet1 10.6.11.0/ 24 VM1 VPN VNet-2-VNet VM3 VPN VM2 VNet to VNet via VPN How a VNet-2-VNet connection is reflected

in the route table Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/2 4 VM1 VM3 Gateway Subnet 10.57.3.0/27 Name: VNet4 Address space: 10.6.0.0/16 Subnet1 10.6.11.0/2 4 Gateway Subnet 10.6.3.0/27 VM1 VPN VM3

VPN VM2 VM2 System Route Table: VNet3 System Route Table: VNet4 Dest: 10.57.0.0/16 Send to: Local VNet Dest: 10.6.0.0/16 Send to: Local VNet Dest: 0.0.0.0/0 Send to: Internet Dest: 0.0.0.0/0 Send to: Internet VNet to VNet via VPN

How a VNet-2-VNet connection is reflected in the route table Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/2 4 VM1 VM3 Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet 10.57.3.0/27 Subnet1 10.6.11.0/2 4 Gateway Subnet 10.6.3.0/27 VM1

VPN VNet-2-VNet VM3 VPN VM2 VM2 System Route Table: VNet3 System Route Table: VNet4 Dest: 10.57.0.0/16 Send to: Local VNet Dest: 10.6.0.0/16 Send to: Local VNet Dest: 0.0.0.0/0 Send to: Internet

Dest: 10.57.0.0/16 Send to: VNet Gateway Dest: 0.0.0.0/0 Send to: Internet VNet to VNet via VPN How a VNet-2-VNet connection is reflected in the route table Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/2 4 VM1 VM3 Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet

10.57.3.0/27 Subnet1 10.6.11.0/2 4 Gateway Subnet 10.6.3.0/27 VM1 VPN VNet-2-VNet VM3 VPN VM2 VM2 System Route Table: VNet3 System Route Table: VNet4 Dest: 10.57.0.0/16

Send to: Local VNet Dest: 10.6.0.0/16 Send to: Local VNet Dest: 10.6.0.0/16 Send to: VNet Gateway Dest: 10.57.0.0/16 Send to: VNet Gateway Dest: 0.0.0.0/0 Send to: Internet Dest: 0.0.0.0/0 Send to: Internet VNet to VNet via VPN Routing with multiple VNet-2-VNet connections

Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet 10.6.3.0/27 Name: VNet3 Address space: 10.57.0.0/16 System Route Table: VNet3 Dest: 10.57.0.0/ 16 Send to: Local VNet Dest: 10.6.0.0/1 6 Send to: VNet GW Dest: 10.7.0.0/1

6 Send to: VNet GW Dest: 0.0.0.0/0 Send to: Internet Subnet1 10.57.1.0/ 24 VM1 VM3 Subnet1 10.6.11.0/ 24 VM1 VM2 Gateway Subnet 10.57.3.0/27 VPN

Name: VNet5 Address space: 10.7.0.0/16 VM2 Gateway Subnet 10.7.3.0/27 No transit routing: VNet4 and VNet5 do not have routes in their tables to send traffic to each other!! VM3 VPN Subnet1 10.7.8.0/2 4 VM1 VPN VM2

VM3 System Route Table: VNet4 Dest: 10.6.0.0/1 6 Send to: Local VNet Dest: 10.57.0.0/ 16 Send to: VNet GW Dest: 0.0.0.0/0 Send to: Internet System Route Table: VNet5 Dest: 10.7.0.0/1

6 Send to: Local VNet Dest: 10.57.0.0/ 16 Send to: VNet GW Dest: 0.0.0.0/0 Send to: Internet VNet to VNet via VPN How to achieve any-to-any connectivity? Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet 10.6.3.0/27 Name: VNet3 Address space: 10.57.0.0/16

Subnet1 10.57.1.0/ 24 VM1 VM3 Subnet1 10.6.11.0/ 24 VM1 VM3 VPN VM2 Gateway Subnet 10.57.3.0/27 VPN Name: VNet5 Address space: 10.7.0.0/16 VM2 Gateway

Subnet 10.7.3.0/27 Subnet1 10.7.8.0/2 4 VM1 VPN VM2 VM3 VNet to VNet via VPN How to achieve any-to-any connectivity? Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet 10.6.3.0/27 Name: VNet3 Address space: 10.57.0.0/16 VM1 VM2

VM3 Gateway Subnet 10.57.3.0/27 VPN VM1 VM3 VPN VM2 VNet-2-VNet Subnet1 10.57.1.0/ 24 Subnet1 10.6.11.0/ 24 Name: VNet5 Address space: 10.7.0.0/16 Gateway

Subnet 10.7.3.0/27 Subnet1 10.7.8.0/2 4 VM1 VPN VM2 VM3 Option #1: full mesh topology (each VNet is directly connected to any other VNet) VNet to VNet via VPN How to achieve any-to-any connectivity? Name: VNet4 Address space: 10.6.0.0/16 Gateway Subnet 10.6.3.0/27 Name: VNet3 Address space:

10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM1 VM2 VM3 Subnet1 10.6.11.0/ 24 VM1 VM3 VPN BGP VM2 Gateway Subnet 10.57.3.0/27 Option #2: leverage BGP support

VPN Name: VNet5 Address space: 10.7.0.0/16 BGP Gateway Subnet 10.7.3.0/27 Subnet1 10.7.8.0/2 4 VM1 VPN BGP VM2 VM3 VNet to VNet via VPN How to achieve any-to-any connectivity? Name: VNet4

Address space: 10.6.0.0/16 Gateway Subnet 10.6.3.0/27 Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM1 VM2 VM3 Subnet1 10.6.11.0/ 24 VM1 VM3 VPN BGP VM2

Gateway Subnet 10.57.3.0/27 VPN Name: VNet5 Address space: 10.7.0.0/16 BGP Gateway Subnet 10.7.3.0/27 Subnet1 10.7.8.0/2 4 VM1 VPN BGP VM2 VM3

System Route Table: VNet4 Dest: 10.6.0.0/16 Send to: Local VNet Dest: 10.57.0.0/16 Send to: VNet GW Dest: 10.7.0.0/16 Send to VNet GW Dest: 0.0.0.0/0 Send to: Internet VNet4 has now a route to send traffic to VNet5. VNet3 acts as a tranist

network VNet to VNet via VPN How to achieve any-to-any connectivity? Option#1: Full Mesh Option#2: BGP + transit routing Efficient routing: each VNet is directly connected to any other VNet Traffic between VNets may cross 1 or more transit networks Many VNet-2-VNet connections to be maintained Any-to-any connectivity is possible with fewer VNET-2VNET connections Cross-VNET communication performance is capped by VNet Gateways bandwidth Cross-VNET communication performance is capped by VNet Gateways bandwidth VNet to VNet via VPN How to achieve any-to-any connectivity?

Option#1: Full Mesh Option#2: BGP + transit routing Efficient routing: each VNet is directly connected to any other VNet Traffic between VNets may cross 1 or more transit networks Many VNet-2-VNet connections to be maintained Any-to-any connectivity is possible with fewer VNET-2VNET connections Cross-VNET communication performance is capped by VNet Gateways bandwidth Cross-VNET communication performance is capped by VNet Gateways bandwidth Both options limitations: VNet peering addresses them by pushing the complexity of connecting VNet into Azures network stack! VNet to VNet via ExpressRoute VNets can be connected with each other

via an ExpressRoute circuit (via IP tunnels) Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM2 VM3 Gateway Subnet 10.57.3.0/27 ER Microsoft Backbone Network e Rout s s e Expr

ExpressRout e VM1 Name: VNet4 Address space: 10.6.0.0/16 Customer Network (P2P Ethernet, Fiber, MPLS/IPVPN) Gateway Subnet 10.6.3.0/27 ExpressR oute Subnet1 10.6.11.0/ 24 VM1 ER VM2

VM3 VNet to VNet via ExpressRoute Name: VNet3 Address space: 10.57.0.0/16 Subnet1 10.57.1.0/ 24 VM3 Gateway Subnet 10.57.3.0/27 ER Microsoft Backbone Network e Rout s s e Expr

VM2 System Route Table: VNet3 Dest: 10.57.0.0/16 Send to: Local VNet Dest: 0.0.0.0/0 Send to: Internet ExpressRout e VM1 Name: VNet4 Address space: 10.6.0.0/16 Customer Network (P2P Ethernet, Fiber, MPLS/IPVPN) Gateway Subnet 10.6.3.0/27

ExpressR oute Subnet1 10.6.11.0/ 24 VM1 ER VM3 VM2 System Route Table: VNet4 Dest: 10.6.0.0/16 Send to: Local VNet Dest: 0.0.0.0/0 Send to: Internet VNet to VNet via ExpressRoute How to have multiple VNet connections (up to 10/100) Subnet1

10.57.1.0/ 24 VM1 VM3 Gateway Subnet 10.57.3.0/27 Gateway Subnet 10.6.3.0/27 Subnet1 10.6.11.0/ 24 VM1 ER ER ER ute ExpressRo

CIrcuit ion Co nn ec tio n t nec Con ER VM2 Customer Network (P2P Ethernet, Fiber, MPLS/IPVPN) Name: VNet5 Address space: 10.7.0.0/16 Name: VNet4 Address space:

10.6.0.0/16 Name: VNet3 Address space: 10.57.0.0/16 Microsoft Backbone Network VM3 VM2 n tio c e nn o C ER Gateway Subnet 10.7.3.0/27 Subnet1

10.7.8.0/2 4 VM1 ER VM2 VM3 What is VNet peering? Ability to merge two Azure VNets, so that VMs in the two VNets can communicate with each other as if they were on the same VNet VNet2 VNet1 Subnet1 VM1 VM2 VM3 Subnet1 Subnet2

VM4 VM6 Switch/Routing VM5 VM1 VM2 VM3 Subnet2 VM4 VM6 Switch/Routing VM5 What is VNet peering? Ability to merge two Azure VNets, so that VMs in the two VNets can communicate with each other as if they were on the same VNet VNet2

VNet1 Subnet1 VM1 VM2 VM3 Subnet1 Subnet2 VM4 VM1 VM5 VM6 VM2 Switch/Routing VM3 Subnet2 VM4 VM6

VM5 VNet peering key facts Traffic across peering VNets is managed in a very similar way to intra-VNet traffic Works for VNets in the same region Provides the same performance as intraVNet traffic Works across subscriptions (if subscriptions are under the same Azure AD Tenant) At least one of the two VNets must be ARM VNet peering is non-transitive VNet1 VNet1 can send/receive traffic to/from VNet2 Peering

VNet2 Peering VNet2 can send/receive traffic to/from VNet1, VNet3 VNet1 cannot send/receive traffic to/from VNet3 unless there is a routing appliance in VNet 2 to handle inter-VNet traffic (see Hub & Spoke topology) VNET3 VNet3 can send/receive traffic to/from VNet2 VNet peering topology : Hub & Spoke HR VNet Pe e

Marketing VNet Engineering VNet r in g Hub site (shared services) Peering in r e Pe g All VNets can communicate with the Hub VNet, but HR, Marketing and Engineering cannot

natively* talk to each other *see transit VNet slide VNet peering topology : partial mesh HR VNet Pe e ing r e Pe Marketing VNet Engineering VNet r in g Hub site (shared

services) Peering in r e Pe g VNet peering topology : full mesh HR VNet P e er i n g Pe e ing r e Pe

Marketing VNet Engineering VNet r in g Hub site (shared services) Peering in r e Pe g Gateway transit A VNets ability to route traffic which has not been originated in it and is not destined to it

VNet1 Peering VNet2 Virtual Network Gateway IPSec or ER VM A VNet1 and VNet2 must be both ARM! On-Premises Network Virtual Appliances (aka NFV) VMs implementing network functions

virtualization Firewall Application firewall IDS/IPS Load Balancer VPN Devices WAN Acceleration (SD-WAN) Routing You must plan for HA for NVAs Azure features that enable NVA scenarios Resources Design for subscription boundaries Billing and Usage APIs Azure Resource Manager provides RBAC, tagging, organization, and deployment Samples - https://github.com/Azure/azure-quickstart-tem plates Documentation -

http://azure.microsoft.com/en-us/documentati Resources Best practices for enterprises moving to Azure | Microsoft Docs https://docs.microsoft.com/en-us/azure/az ure-resource-manager/resource-managersubscription-governance 2015-2016 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Recently Viewed Presentations

  • Preliminary Draft Erection Procedure for 2dk Duplex ...

    Preliminary Draft Erection Procedure for 2dk Duplex ...

    Step 29: Install all drainage stand pipes on the unpaneled sides of the walls as marked. This will complete the drainage system on the interior of the homes. ... Install all grab bars, interior doors, accordion curtains and curtain rods...
  • American Psychological Association

    American Psychological Association

    The emphasis in social sciences is on how current the source is, so APA style includes: Date of publication in parenthetical citations . ex. Many others agree with the assessment that "this is a seriously flawed study" (Methasa,1994, p.22) and...
  • Ch. 9 Measurement: Scaling, Reliability, Validity

    Ch. 9 Measurement: Scaling, Reliability, Validity

    Extremely 7 6 5 4 3 2 1 Extremely Pleased Displeased Rating Scales (Cont'd) Itemized rating scale A 5-point or 7-point scale with anchors, as needed, is provided for each item and the respondent states the appropriate number on the...
  • Public SECTOR data management - Department of the Prime ...

    Public SECTOR data management - Department of the Prime ...

    In April 2015, the Secretary of PM&C commissioned an in-house Australian Public Service (APS) study on how public sector data can be better used to achieve efficiencies for government, foster the digital economy and be helpful outside government to lift...
  • PowerPoint Template

    PowerPoint Template

    During brainstorming sessions. By using CRC cards. By examining use cases, looking for nouns. Each noun may lead to a candidate or potential class. CSE323 Systems Analysis and Design 2/2549 * * Determining Class Methods Class methods may be determined...
  • Today&#x27;s orientation is Component I - which will cover:

    Today's orientation is Component I - which will cover:

    The mission of Santa Clara County Department of Family and Children's Services is to keep children safe and families ... the courts and the Department of Social Services in working together for the benefit of children and familie ... This...
  • History of Forensic Science - Weebly

    History of Forensic Science - Weebly

    History of Forensic Science ... DNA fingerprinting is used to convict Colin Pitchfork of murder. In 1998, an FBI DNA database is created. ... Agrippina: The wife of Roman Emperor Claudius and mother of Nero Ordered the beheading of Lollina...
  • General Information I. Basics A. Zoology is the

    General Information I. Basics A. Zoology is the

    I. Basics Zoology is the study of the entire animal kingdom (zo- {New Latin} = animal; -ology = study of, knowledge) B. Zoology is a subset of biology C. One of the broadest fields in all of science 20,000 known...