ExpressRoute Fridayswith the C+E Black Belts

Olivier Martin (@omartin) – Azure Networking Black BeltKevin Lopez (@kevlopez) – ER Partner Sales ExecutiveJaime Schmidtke (@jaimesc) – ExpressRoute SpecialistKevin Sullivan (@kevinsul) – BCDR and ER Black belt

Before we get started

• Welcome customers and partners!!!

• Material is public information. No NDA info here.

• Use the IM window for questions.

• Sessions are recorded.

• We’ll post material @

http://aka.ms/AzureNetworkingFridays

• Azure Network Connectivity from 0 to 60

• Deep dive topic of the week: • Guest Speaker : Jon Ormond, from Azure Networking Product Group

• ExpressRoute peering deep dive (Private and Public peering)

• Azure Networking Partner Spotlight: Check Point Software (vSEC)

• Open Q&A for all customers

Agenda for September 16th, 2016

ExpressRoute from 0 to 60Internet vs. ExpressRoute analogy

• Internet is like the “free”way on the left

• Drive is less predictable and may need to re-route to another road

• ExpressRoute is like the toll road on the right

• Drive is much more predictable.

• You pay extra, but its sure worth it

ExpressRoute has an uptime SLA and customers choose bandwidth!

What is ExpressRoute?

WAN

Public Internet

WAN

Public Internet

ExpressRoute

ExpressRoute is Dedicated Connectivity…

1.Connectivity to meet-up location

2. Aggregation partner’s exchange

platform

3. Microsoft ER implementation

Through a Peering Location!

• https://azure.microsoft.com/en-us/pricing/details/expressroute/• Egress is $0.025 per GB for Zone 1, $0.05 per GB for Zone 2, and $0.14 per GB for Zone 3

• Zone 1 = North America/Europe, Zone 2 = Asia Pacific, Zone 3 = Brazil

• Office 365 Requires Premium Add-On Circuits

Bandwidth

Metered Data -Port Only

Unlimited Data

All Zones Zone 1 (US, EMEA) Zone 2 (APAC) Zone 3 (Brazil)

50 Mbps $55 $300 $610 $872

100 Mbps $100 $575 $1,230 $1,300

200 Mbps $145 $1,150 $2,300 $3,220

500 Mbps $290 $2,750 $5,200 $5,200

1 Gbps $436 $5,700 $8,700 $8,700

2 Gbps $872 $11,400 $17,400 $17,400

5 Gbps $2,180 $25,650 $41,000 $41,000

10 Gbps $5,000 $51,300 $82,000 $82,000

Standard Circuit US$ Price Models for ExpressRoute

Premium Circuit Price Models for Azure Workloads

Unlimited Data Plan (Premium)

Circuit Size Zone 1 Zone 2 Zone 3

50 Mbps $ 375 $ 710 $ 972

100 Mbps $ 675 $ 1,405 $ 1,475

200 Mbps $ 1,300 $ 2,600 $ 3,520

500 Mbps $ 3,150 $ 6,000 $ 6,000

1 Gbps $ 6,450 $ 10,150 $ 10,150

2 Gbps $ 12,900 $ 19,650 $ 19,650

5 Gbps $ 28,650 $ 44,000 $ 44,000

10 Gbps $ 54,300 $ 85,000 $ 85,000

Data Transfer Pricing Zone 1: $0.025/GB, Zone 2: $0.050/GB, Zone 3: $0.140/GB

Metered Data Plan (Premium)

Cicuit Size Zone 1 Zone 2 Zone 3

50 Mbps $ 130 $ 155 $ 155

100 Mbps $ 200 $ 275 $ 275

200 Mbps $ 295 $ 445 $ 445

500 Mbps $ 690 $ 1,090 $ 1,090

1 Gbps $ 1,186 $ 1,886 $ 1,886

2 Gbps $ 2,372 $ 3,122 $ 3,122

5 Gbps $ 5,180 $ 5,180 $ 5,180

10 Gbps $ 8,000 $ 8,000 $ 8,000

The “meter” is for egress data. Data that leaves the Microsoft network back to the customer network is considered egress data.

Retiring due to ASM/ARM coexistenceLegend

How to get started workflow• Azure Subscription selected

and available• Network plan/design and

prerequisites done

• Install Azure PowerShell modules

• Install ASM Modules for ExpressRoute

• Install latest PowerShell• Install ARM modules for

Azure and Network• Create Resource Group

for the circuit

• Configure peerings*• O365/CRMOL• Azure PaaS

• Link VNETs for IaaS• Test connectivity

• Create the circuit via PowerShell or via GUI

• Send your ExpressRoute partner the Service Key and any other needed info

• Complete physical circuits/contracts with your Layer 2/Layer3 ER partner • ExpressRoute partner provisions

connectivity

ER partner work ASM specific

ARM specificGeneral Azure

Creating a circuit via portal.azure.com

• When creating ER gateway with GUI, it creates a BASIC SKU, 500Mbps max

• For higher speeds, use the PowerShell commands.

Olivier ’s ExpressRoute Cheat Sheet

Variables needed

VLAN IDCustomer routing subnets /29 or 2*

/30 (public IPs)I.J.K.L/30 M.N.O.P/30 Q.R.S.T/30 U.V.W.X/30

Customer routing subnet /29 or 2*/30

(private or public IPs)A.B.C.D/30 E.F.G.H/30

Microsoft ASN

ASN Registrar

Peering ASN

Customer ASN

Advertised Prefix List (for outbound)

NAT pool (for inbound)

VNET info

priv. or pub ASN (e.g., 65100 or pub. ASN)

Private Peer (IAAS)

N/A

12076

N/A

100

N/A

Customer SNAT prefixes (NAT Pool)

N/A

Microsoft Peer (O365, CRMOL)

102

12076

i.e. ARIN

100

priv. or pub ASN (e.g., 65100 or pub. ASN)

Customer SNAT prefixes (NAT Pool)10.0.0.0/8, 0.0.0.0/0, etc.

Gateway name & /27 or /26 subnet

100

Public Peer (PaaS)

101

12076

N/A

N/A N/A

NAT pool used for MS IPsN/A

i.e. ARIN

100

priv. or pub ASN (e.g., 65100 or pub. ASN)

Basic Info Circuit 1

Bandwidth 500

Peering Location Silicon Valley

ExpressRoute Partner Name

i.e. AT&T,

Verizon, Level3,

Equinix, etc.

Resource Group Name & Location

Customer

defined

Billing typeMetered or

unmetered

SKU TypeStandard or

Premium

Legend

Customer Specific

information - adapt to

specific requirements

ER Partner specific

info

Partner ContactsNimbo expressroute@nimbo.com ExpressRoute SI Partner

Perficient ExpressRoute@perficient.com ExpressRoute SI Partner

Project Leadership ExpressRoute@projectleadership.net ExpressRoute SI Partner

Aryaka AzureExpressRoute@aryaka.com ExpressRoute Connectivity Partner

AT&T AT&T Information Request Form ExpressRoute Connectivity Partner

Comcast http://business.comcast.com/landingpage/microsoft-azure ExpressRoute Connectivity Partner

CoreSite ExpressRoute@coresite.com ExpressRoute Connectivity Partner

Equinix EQX-EXR@equinix.com ExpressRoute Connectivity Partner

Level 3 http://Level3.com/Azure ExpressRoute Connectivity Partner

Megaport ExpressRoute@megaport.com ExpressRoute Connectivity Partner

Orange galerie.contact@orange.com ExpressRoute Connectivity Partner

Tata CommunicationER@TataCommuniccations.com ExpressRoute Connectivity Partner

Verizon Microsoft.SCILeads@verizonwireless.com ExpressRoute Connectivity Partner

Zayo azureleads@zayo.com ExpressRoute Connectivity Partner

Riverbed msftcloudsales@riverbed.com Network Virtual Appliance Partner

Barracuda azure_support@barracuda.com Network Virtual Appliance Partner

Check Point http://www.checkpoint.com/vsec Network Virtual Appliance Partner

ExpressRoute Checklist & Updated O365 Guidance

PDF version to be available at @ http://aka.ms/ERCheckList

Updated Office365 guidance @ http://aka.ms/EROimplementation

Technical Deep Dive with Jon Ormond

Customer’s network

Primary

circuit

Secondary

circuit

Partner Edge

Microsoft Edge

Traffic to public IP addresses in Azure

Traffic to Virtual Networks (VNets)

Traffic to Office 365 Services

Office in Los Angeles

10.1.0.0/16

AS 64496

Office in New York

10.2.0.0/16

AS 64496

Network carrier’s IP VPN or

Customers backbone network

Virtual Network

Virtual Network

Exp

ress

Ro

ute

Exp

ress

Ro

ute

ExpressRouteLos Angeles

ExpressRouteNew York

West US10.100.0.0/24

East US10.200.0.0/24

Microsoft’s

backbone network

Gateway Gateway

Range AS Path

10.1.0.0/16 64496

10.2.0.0/16 64496 64496

Range AS Path

10.1.0.0/16 64496 64496

10.2.0.0/16 64496

Range AS Path From

10.1.0.0/16 64496 LA

10.1.0.0/16 64496 64496 NY

10.2.0.0/16 64496 NY

10.2.0.0/16 64496 64496 LA

Office in Los Angeles

10.1.0.0/16

AS 64496

Office in New York

10.2.0.0/16

AS 64496

Network carrier’s IP VPN or

Customers backbone network

Virtual Network

Virtual Network

Exp

ress

Ro

ute

Exp

ress

Ro

ute

ExpressRouteLos Angeles

ExpressRouteNew York

West US10.100.0.0/24

East US10.200.0.0/24

Microsoft’s

backbone network

Gateway Gateway

Range AS Path

10.1.0.0/16 64496

10.2.0.0/16 64496 64496

Range AS Path

10.1.0.0/16 64496 64496

10.2.0.0/16 64496

Range AS Path From

10.1.0.0/16 64496 LA

10.1.0.0/16 64496 64496 NY

10.2.0.0/16 64496 NY

10.2.0.0/16 64496 64496 LA

Partner Spotlight : Check Point

©2016 Check Point Software Technologies Ltd. ©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content

vSEC for AzureAdvanced Threat Prevention Security for Public and Hybrid Clouds

NEW IT DEMANDS: CLOUD

Enable business agility,

streamline processes,

enhance competitive

advantages, and lower IT

costs

Cloud Myth: Network Security solutions don’t fit in Public / Hybrid Cloud architectures

Perception:

• Too dynamic (rapid adding/removing of VMs, subnets etc.) – while network security tools fail to make the needed modifications

• Network security solutions becomes a single point of failure and don’t support HA configuration

Reality: Network Security FITS in Hybrid Cloud Arch.

• Deployed in VMs within VNETs• Single or multiple NICs• Private or Public IPs

• Operate in HA mode in cloud

• Within VNET (HA-cluster)• Across availability-set

• Security policies updated automatically

• Auto-discovery of cloud assets (new VMs, subnets, etc) reflected in automated policy updates

Cloud Myth: Advanced Security models can’t be used in Public / Hybrid Clouds

Perception:• Micro-Segmentation can

only be achieved in private cloud – not in public cloud

Advanced security methods in Hybrid Clouds:

• Micro-Segmentation with Advanced Threat Prevention:

• Fine-tuned network segmentation, popular in private-cloud (SDN based) network

• Achieved inside VNET’s using network firewall and User-Defined Route (UDR) configurations

• Prevent lateral movement of threats within Hybrid Clouds

Reality: Advanced Security Seamlessly Deployed in Hybrid Clouds.

Check Point vSEC for Microsoft AzureAdvanced Threat Prevention Security for Hybrid Clouds

vSEC GATEWAY• Comprehensive protections

including: Firewall, IPS, AntiBot, AntiVirus, VPN, DLP and SandBlast Zero-Day Protections

• Secure traffic between applications in the hybrid cloud

vSEC CONTROLLER• Automated security with

unified management• Context-aware policies

leveraging Azure defined objects

• Consolidated logging and reporting across private, public and hybrid clouds

Prevent Lateral Movement of Threats

vSEC Gateway prevent lateral threat movement between applications inside hybrid clouds

Advanced Threat Prevention Security

Check Point Access Policy

Rule From To Application Action

3 Finance_App1(vCenter Object)

Database_Group

(NSX SecGroup)MSSQL Allow

4 HR_App2(Open StackObject)

Finance_Group(ACI EndPoint Group)

CRM Allow

5 User_ID SAP_App(Azure Object)

SAP Allow

Context-Aware Security Policies

Security policy with application identity tied to SDN and Cloud platforms

Flexible Delivery Models

BYOL requires an open server license. This offering gives you the flexibility to select the software blades you want as well as the level of support.

BYOLPAYG license means you pay an hourly-based fee depending on how long you use the image.

PAYG

Quickly Enable vSEC Advanced Security

Enable a Check Point Virtual Gateway in the Azure Cloud

Selected Desired Protection Levels1. 2.

One Console to Manage Everything

ONE CONSOLEONE POLICY

Enterprise

Cisco ACI

Network Security Deployed in Azure VNET

AUTOMATED SECURITY FOR THE HYBRID CLOUD

ACI

ADVANCED SECURITY FOR ALL DATACENTER TRAFFIC

Protecting the Enterprise Cloud

©2016 Check Point Software Technologies Ltd. ©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content[Protected] Non-confidential content

THANK YOU

[Restricted] ONLY for designated groups and individuals

Advanced Security in Hybrid-Cloud

Open Q&A

Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays