Scribd Logo
Upload

Welcome to Scribd!

  • 6 views

    ESLZ NetworkDeepDive AAC

    Uploaded by

    oaidai

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    ESLZ NetworkDeepDive AAC

    Uploaded by

    oaidai
    6 views31 pages

    Original Title

    ESLZ_NetworkDeepDive_AAC

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    6 views31 pages

    ESLZ NetworkDeepDive AAC

    Uploaded by

    oaidai

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 31

    Azure Architects Connect

    “Azure Landing Zones /


    Deep Dive Network”
    Christopher Feussner, Security Cloud Solutions Architect
    14. Oktober 2021
    Agenda

    Intro Azure Landing Zone & Enterprise-Scale


    Critical Design Area Networking
    • Considerations like IP Address Planning
    • Network Topology & Segmentation
    • DNS
    • Connectivity to Azure (Hub & Spoke, Virtual WAN)
    • Azure Firewall & Co.
    • Connectivity to Azure PaaS (within Landing Zone)
    Q&A

    ©Microsoft Corporation
    Azure
    Metropolis
    Using an analogy, this is similar to
    how city utilities such as water, gas,
    and electricity are accessible before
    new houses are constructed. In this
    context, the network, IAM, policies,
    management, and monitoring are
    shared 'utility' services that must be
    readily available to help streamline
    the application migration process.
    Enterprise-scale?

    Enterprise-scale is an architecture approach and reference implementation that enables effective


    construction and operationalization of landing zones on Azure, at scale and aligned with Azure
    Roadmap and Microsoft Cloud Adoption Framework for Azure.

    Authoritative Proven Prescriptive


    Provides holistic design Based on success of Apply it on clearly plan
    decision framework for large-scale migration and design your Azure
    Azure Platform. projects at-scale. environment.
    Enterprise-scale Design Principles

    Subscription Democratisation

    Enable Autonomy for Innovation and


    Policy Driven Governance
    Transformation

    Security and Compliance By-Default Single Control and Management Plane

    Governance At-Scale with Sustainable


    Application Centric and Archetype-
    Cloud Engineering
    Neutral

    Azure Native Design and Platform


    Roadmap Alignment
    Enterprise-scale Design Guidelines

    Management Group
    Enterprise Enrolment Identity & Access
    & Subscription
    & Azure AD Tenants Management
    Organisation

    Network Topology & Management & Business Continuity


    Connectivity Monitoring & Disaster Recovery

    Security, Governance Platform Automation


    & Compliance & DevOps
    Enterprise-scale
    What are you going to build?

    A house A stadium A bridge

    ©Microsoft Corporation
    Azure
    All foundations are NOT created equal

    A house A stadium A bridge

    ©Microsoft Corporation
    Azure
    Enterprise-scale
    landing zone(s)
    The principle purpose of the
    “Landing Zone” is therefore to
    ensure that when an application
    or workload lands on Azure, the
    required “plumbing” is already in
    place, providing greater agility
    and compliance with enterprise
    security and governance
    requirements.
    Network Topology
    & Connectivity

    Consider the following design elements:


    Overview ▪

    IP Address planning
    Configure DNS
    ▪ Define Azure Network topology
    ▪ Azure Virtual WAN (Microsoft Managed)
    ▪ Traditional Azure networking (Customer Managed)
    ▪ Connectivity to Azure
    ▪ Azure Firewall & Co.
    ▪ Connectivity to Azure PaaS (within Landing Zone)
    Network
    Topology &
    Connectivity

    IP Addressing
    • No IP address overlap, no public IP’s internal
    • Size not to big, not to small, purpose driven
    • Usage of private IP addresses (RFC1918)
    Example - DNS resolution flow when a VM in a VNET tries to resolve private endpoint:

    Network
    Topology &
    Connectivity

    DNS
    technologies and topology
    Network approaches for Azure deployments
    Topology &
    Connectivity

    Define an Azure
    Networking
    Topology
    Network Virtual WAN Global Transit Network
    Topology &
    Connectivity

    Virtual WAN
    Network Enterprise-Scale with Azure Virtual WAN
    Topology &
    Connectivity

    Virtual WAN

    Enterprise-Scale/Readme.md at main · Azure/Enterprise-Scale · GitHub


    Network
    Topology &
    Connectivity

    Traditional
    Hub and Spoke
    Network Enterprise-Scale with Hub & Spoke
    Topology &
    Connectivity

    Traditional
    Hub and Spoke
    Enterprise-Scale/README.md at main · Azure/Enterprise-Scale · GitHub
    Azure Route Server (ARS) enables network appliances to exchange
    route information with Azure virtual networks dynamically.
    Network
    Topology & Azure Route Server supports Azure ExpressRoute and VPN
    gateways to automatically take the latest route information from
    Connectivity Azure Route Server instead of manually talking to each network.

    Azure Route Server


    Network
    Topology &
    Connectivity

    Azure Route Server


    Network
    Topology &
    Connectivity

    Azure Route Server


    Dual-homed network with
    Integration with ExpressRoute
    Azure Route Server
    Network Azure Route Server Example Scenario
    Topology &
    Connectivity

    Azure Route Server

    Lab/RS-ER-VPN-Gateway-Transit at master · dmauser/Lab · GitHub


    Network ▪ Landing zone owners should be able
    Topology & to create subnets and manage
    Connectivity Network Security Groups (NSGs)
    ▪ Use NSG flow logs and traffic analytics
    ▪ Use Application Security Groups
    (ASGs) for intra-vnet controls
    ▪ Inter-landing zone traffic can be NSG,
    Azure Firewall or NVA
    Segmentation
    ▪ Deploy WAFs inside landing zones
    Network
    Topology & ▪ Use ExpressRoute as the primary
    Connectivity connectivity
    ▪ When over 10 Gbps is needed use
    ExpressRoute Direct
    ▪ Use multiple peering locations for
    resiliency
    Connectivity ▪ Enable Fast Path to lower latency
    to Azure
    Azure Firewall, Load Balancer, Front Door and
    Web Application Firewall
    Network
    Topology &
    Connectivity

    Internet
    Connectivity
    Network
    Topology &
    Connectivity

    ▪ VPN connection by using IPsec (A)


    ▪ Use MACsec for ExpressRoute Direct
    customers (B)
    Encryption ▪ IPsec over ExpressRoute private peering for
    Options virtual WAN (C)
    ▪ VNET to VNET VPN Gateways for inter-
    landing zone encryption
    Network ▪ Use Network Watcher packets to capture
    Topology & despite the limited capture window.
    Connectivity ▪ Evaluate whether the latest version of
    NSG flow logs provides the level of
    detail that you need
    ▪ Use partner solutions for scenarios that
    require deep packet inspection
    ▪ Don't develop a custom solution to
    Traffic Inspection mirror traffic. Complexity and
    supportability issues may arise.
    Azure Private Endpoint & Private Link
    Network
    Topology &
    Connectivity

    Connectivity to
    Azure PaaS PaaS
    services
    Azure Private Endpoint & Private Link
    Network
    Topology &
    Connectivity

    Connectivity to
    Azure PaaS
    ▪ Enterprise-scale design principles and
    Network implementation can be adopted by all customers,
    Topology & no matter what size and history their Azure estate.
    Connectivity ▪ Reference implementations enable security,
    monitoring, networking, and any other plumbing
    needed for landing zones autonomously through
    policy enforcement.

    Enterprise-Scale Reference Implementation

    Reference
    Implementation
    Q&A

    ©Microsoft Corporation
    Azure

    You might also like