por Kit Ainscough hace 1 año
147
Ver más
cloud-based hybrid network monitoring
Azure ExpressRoute
application endpoints
service endpoints
data types
logs
metrics
time series data
no configuration required
monitors and repairs net health of IaaS
LB
App GW
VM
regional service
Topology
Traffic Analytics
reduced logs
NSG Flow logs
JSON format
VPN Diagnostics
Gateway t/shoot
Next Hop
Routing analysis
Connection Monitor
VM to VM
Connection Troubleshoot
VM to dest
Effective Security Rules
VM NIC security
Packet Capture
VM
IP Flow Verify
VM packet flow
Global entry point for web apps
Endpoints
Nested
sub-traffic manager profile
External
IP address
FQDN
Azure public IP address
App service slot
App service
Routing Methods
Subnet
mapped end-user IP address ranges
MultiValue
IPv4/6-only endpoints
Geographic
data sovereignty
Performance
latency
Weighted
canary testing
Priority
disaster recovery
DNS-based traffic load balancer
Only allowed a single VPN GW per VNET
Hourly
Public IP involvved
Bandwidth limited by SKU
VNET Peering
peered VNETs can share the remote VNET gateway
peering VNETs in different regions
Pricing
Egress
Ingress
per Deployment model
Classic model
cannot peer across tenants and subscriptions
to do this use VPN Gateway
Resource Manager model
create a peering per VNET
can peer across tenants and subscriptions, but not clouds
non transitive
high bandwidth
low latency
uses Azure backbone (private addressing)
Private Link
VNET to Azure PaaS
privately access services in Azure platform
Gateways
VPN Gateway
High availability
Active/Active
Active/Standby
PSK authentication
no VMs in the GatewaySubnet
/27 or greater
GatewaySubnet
Types
Policy based
5 min idle time
traffic selector is an ACL
address prefixes
static routing
Route based
traffic selector is any-to-any
uses routing table to direct packets to tunnels
dynamic routing
Connection options
AER
IKEDiagnosticLog
IPSEC
P2S
Authentication
AAD
requires AzureVPN client
authorised in AAD as an Enterprise Application
Global Admin rights required
only supports OpenVPN (SSL) protocol
Azure certificate authentication
AD DS
Protocols
SSTP (TCP443), OpenVPN (TCP443), or IKEv2 (UDP500, 4500)
ExpressRoute Gateway
Capabilities
encrypted
use point-to-point encryption (MACsec)
use end-to-end encryption (IPSEC)
unencrypted
by default
BFD
configured per interface, linked to BGP session
failure detection time <1s
pricing
Requirements
One of the two virtual network gateway types
ExpressRoute Circuit
Unlimited
ExpressRoute Global Reach
link ExpressRoute circuits together
ExpressRoute Direct circuit
used to create the local, std, and premium circuits
ExpressRoute Premium circuit
access to all Azure regions globally
ExpressRoute Standard circuit
min service speed is 50Mbps
access to all Azure regions in a Geopolitical area
ExpressRoute Local circuit
unlimited inbound and outbound data transfer
max service speed is 10Gbps
min service speed is 1 Gbps
access to only 1-2 Azure regions
access through HA pair of 10Gbps or 100Gbps ports
Metered
Premium price
Std price
Monthly port fee (2 HA ports)
Outbound data costs
Inbound data is free
VWAN
Hub&Spoke Architecture
Microsoft backbone
Global transit network architecture
min /24 to create a VWAN hub
managed service
Standard
NVA in a VWAN
Azure firewall
AER, P2S, S2S, InterHub, VNet-toVNet transit
Basic
S2S
can combine S2S, P2S, AER
use VWAN if > 100 S2S VPN tunnels needed
Private peering
SNAT
public prefix
can be shared across NAT gateways
contiguous
public address
each address provides 64000 SNAT ports
maximum 16 addresses
on-demand outbound SNAT
shared public IP address
allows private outbound access to the internet
properties
used to combat LB SNAT exhaustion
applied to subnets
simplifies outbound internet-only NAT
no need for a public IP attached to VMs
no need for a LB
Service chaining
VNET to gateway and on to another VNET
use of UDRs to customise routing
Route Server
requires RouteServerSubnet
no longer the need to update NVA route table
no longer the need to update UDR
NVA needs to support BGP
simplifies dynamic routing between VNET and NVA
fully managed service
custom routes
route to route-based VPN GW
on-site VPN gateway uses 0.0.0.0/0 as traffic selector
called forced tunneling
associate with subnet
system routing
default routes
routes to the internet
on-prem routes
route to Azure VPN GW
local VNET routes
associated with subnet
uses separate IP address (from VNET) for each storage account
provides secure connectivity between VNET clients and storage account
special NIC for an Azure service in VNET
traffic remains in Azure (Microsoft backbone)
eliminates public exposure
enabled on the subnet
enables private IPs in VNET to access Azure services public endpoint
types
Gateway transit
peered VNETs can share the gateway
non-transitive
no requirement for VPN gateway
regional
global
Qualities
connects two VNETs
can peer across tenants and subscriptions
uses Azure backbone
record sets
cannot have identical records
collection of dns records in a zone with same name and same type
delegation
once created, update parent registrar
use all four Azure DNS servers
zones
the same zone name can exist in another subscription, or RG
hosts dns records for a domain
Private
automatic record management
provides name resolution for VMs in VNETs
Public
Assignment
dynamic
static
Tier
Regional
Global
version
IPv6
IPv4
SKU
standard
can be zone-redundant, zonal, or no-zone
allocate NSG to permit inbound traffic
closed by default
static address assignment
basic
does not support availablity zones
open by default
dynamic or static address
scoped to a single region
secured with NSGs
certain Azure services require unique subnets
subnets must have unique address range
division of VNETs into logical units
Unavailable
168.63.129.16/32
enables VM comms to Azure
DNS
Heartbeat
Health probes
address assignment via DHCP
Link local unavailable
Loopback unavailable
Multicast unavailable
RFC1918
.255 broadcast address
.2, .3 reserved for Azure to map DNS IPs to VNET
.1 gateway address reserved
.0 network address
Azure reserves .1, .2, .3