Transcription
Azure Architects Connect“Azure Landing Zones /Deep Dive Network”Christopher Feussner, Security Cloud Solutions Architect14. Oktober 2021
AgendaIntro Azure Landing Zone & Enterprise-ScaleCritical Design Area Networking Considerations like IP Address Planning Network Topology & Segmentation DNS Connectivity to Azure (Hub & Spoke, Virtual WAN) Azure Firewall & Co. Connectivity to Azure PaaS (within Landing Zone)Q&A Microsoft CorporationAzure
MetropolisUsing an analogy, this is similar tohow city utilities such as water, gas,and electricity are accessible beforenew houses are constructed. In thiscontext, the network, IAM, policies,management, and monitoring areshared 'utility' services that must bereadily available to help streamlinethe application migration process.
Enterprise-scale?Enterprise-scale is an architecture approach and reference implementation that enables effectiveconstruction and operationalization of landing zones on Azure, at scale and aligned with AzureRoadmap and Microsoft Cloud Adoption Framework for Azure.AuthoritativeProvides holistic designdecision framework forAzure Platform.ProvenBased on success oflarge-scale migrationprojects at-scale.PrescriptiveApply it on clearly planand design your Azureenvironment.
Enterprise-scale Design PrinciplesSubscription DemocratisationEnable Autonomy for Innovation andTransformationSecurity and Compliance By-DefaultGovernance At-Scale with SustainableCloud EngineeringPolicy Driven GovernanceSingle Control and Management PlaneApplication Centric and ArchetypeNeutralAzure Native Design and PlatformRoadmap Alignment
Enterprise-scale Design GuidelinesEnterprise Enrolment& Azure AD TenantsIdentity & AccessManagementManagement Group& SubscriptionOrganisationNetwork Topology &ConnectivityManagement &MonitoringBusiness Continuity& Disaster RecoverySecurity, Governance& CompliancePlatform Automation& DevOps
Enterprise-scale
What are you going to build?A house Microsoft CorporationAzureA stadiumA bridge
All foundations are NOT created equalA house Microsoft CorporationAzureA stadiumA bridge
Enterprise-scalelanding zone(s)The principle purpose of the“Landing Zone” is therefore toensure that when an applicationor workload lands on Azure, therequired “plumbing” is already inplace, providing greater agilityand compliance with enterprisesecurity and governancerequirements.
Network Topology& ConnectivityOverviewConsider the following design elements: IP Address planningConfigure DNSDefine Azure Network topologyAzure Virtual WAN (Microsoft Managed)Traditional Azure networking (Customer Managed)Connectivity to AzureAzure Firewall & Co.Connectivity to Azure PaaS (within Landing Zone)
NetworkTopology &ConnectivityIP Addressing No IP address overlap, no public IP’s internal Size not to big, not to small, purpose driven Usage of private IP addresses (RFC1918)
Example - DNS resolution flow when a VM in a VNET tries to resolve private endpoint:NetworkTopology &ConnectivityDNS
NetworkTopology &ConnectivityDefine an AzureNetworkingTopologytechnologies and topologyapproaches for Azure deployments
NetworkTopology &ConnectivityVirtual WANVirtual WAN Global Transit Network
NetworkTopology &ConnectivityEnterprise-Scale with Azure Virtual WANVirtual WANEnterprise-Scale/Readme.md at main · Azure/Enterprise-Scale · GitHub
NetworkTopology &ConnectivityTraditionalHub and Spoke
NetworkTopology &ConnectivityEnterprise-Scale with Hub & SpokeTraditionalHub and SpokeEnterprise-Scale/README.md at main · Azure/Enterprise-Scale · GitHub
NetworkTopology &ConnectivityAzure Route ServerAzure Route Server (ARS) enables network appliances to exchangeroute information with Azure virtual networks dynamically.Azure Route Server supports Azure ExpressRoute and VPNgateways to automatically take the latest route information fromAzure Route Server instead of manually talking to each network.
NetworkTopology &ConnectivityAzure Route Server
NetworkTopology &ConnectivityAzure Route ServerDual-homed network withAzure Route ServerIntegration with ExpressRoute
NetworkTopology &ConnectivityAzure Route Server Example ScenarioAzure Route ServerLab/RS-ER-VPN-Gateway-Transit at master · dmauser/Lab · GitHub
NetworkTopology &Connectivity Landing zone owners should be ableto create subnets and manageNetwork Security Groups (NSGs) Use NSG flow logs and traffic analytics Use Application Security Groups(ASGs) for intra-vnet controls Inter-landing zone traffic can be NSG,SegmentationAzure Firewall or NVA Deploy WAFs inside landing zones
NetworkTopology &Connectivity Use ExpressRoute as the primaryconnectivity When over 10 Gbps is needed useExpressRoute Direct Use multiple peering locations forresiliencyConnectivityto Azure Enable Fast Path to lower latency
NetworkTopology &ConnectivityInternetConnectivityAzure Firewall, Load Balancer, Front Door andWeb Application Firewall
NetworkTopology &Connectivity VPN connection by using IPsec (A) Use MACsec for ExpressRoute Directcustomers (B)EncryptionOptions IPsec over ExpressRoute private peering forvirtual WAN (C) VNET to VNET VPN Gateways for inter-landing zone encryption
NetworkTopology &Connectivity Use Network Watcher packets to capturedespite the limited capture window. Evaluate whether the latest version ofNSG flow logs provides the level ofdetail that you need Use partner solutions for scenarios thatrequire deep packet inspectionTraffic Inspection Don't develop a custom solution tomirror traffic. Complexity andsupportability issues may arise.
Azure Private Endpoint & Private LinkNetworkTopology &ConnectivityConnectivity toAzure PaaS PaaSservices
Azure Private Endpoint & Private LinkNetworkTopology &ConnectivityConnectivity toAzure PaaS
NetworkTopology &Connectivity Enterprise-scale design principles andimplementation can be adopted by all customers,no matter what size and history their Azure estate. Reference implementations enable security,monitoring, networking, and any other plumbingneeded for landing zones autonomously throughpolicy enforcement.Enterprise-Scale Reference ImplementationReferenceImplementation
Q&A Microsoft CorporationAzure
Segmentation Landing zone owners should be able to create subnets and manage Network Security Groups (NSGs) Use NSG flow logs and traffic analytics Use Application Security Groups (ASGs) for intra-vnet controls Inter-landing zone traffic can be NSG, Azure Firewall or NVA Deploy WAFs inside landing zones
