expressroute fridays to public ip addresses in azure traffic to virtual networks (vnets) traffic to...
TRANSCRIPT
ExpressRoute Fridayswith the C+E Black Belts
Olivier Martin (@omartin) – Azure Networking Black BeltKevin Lopez (@kevlopez) – ER Partner Sales ExecutiveJaime Schmidtke (@jaimesc) – ExpressRoute SpecialistKevin Sullivan (@kevinsul) – BCDR and ER Black belt
Before we get started
• Welcome customers and partners!!!
• Material is public information. No NDA info here.
• Use the IM window for questions.
• Sessions are recorded.
• We’ll post material @
http://aka.ms/AzureNetworkingFridays
• Azure Network Connectivity from 0 to 60
• Deep dive topic of the week: • Guest Speaker : Jon Ormond, from Azure Networking Product Group
• ExpressRoute peering deep dive (Private and Public peering)
• Azure Networking Partner Spotlight: Check Point Software (vSEC)
• Open Q&A for all customers
Agenda for September 16th, 2016
ExpressRoute from 0 to 60Internet vs. ExpressRoute analogy
• Internet is like the “free”way on the left
• Drive is less predictable and may need to re-route to another road
• ExpressRoute is like the toll road on the right
• Drive is much more predictable.
• You pay extra, but its sure worth it
ExpressRoute has an uptime SLA and customers choose bandwidth!
1.Connectivity to meet-up location
2. Aggregation partner’s exchange
platform
3. Microsoft ER implementation
Through a Peering Location!
• https://azure.microsoft.com/en-us/pricing/details/expressroute/• Egress is $0.025 per GB for Zone 1, $0.05 per GB for Zone 2, and $0.14 per GB for Zone 3
• Zone 1 = North America/Europe, Zone 2 = Asia Pacific, Zone 3 = Brazil
• Office 365 Requires Premium Add-On Circuits
Bandwidth
Metered Data -Port Only
Unlimited Data
All Zones Zone 1 (US, EMEA) Zone 2 (APAC) Zone 3 (Brazil)
50 Mbps $55 $300 $610 $872
100 Mbps $100 $575 $1,230 $1,300
200 Mbps $145 $1,150 $2,300 $3,220
500 Mbps $290 $2,750 $5,200 $5,200
1 Gbps $436 $5,700 $8,700 $8,700
2 Gbps $872 $11,400 $17,400 $17,400
5 Gbps $2,180 $25,650 $41,000 $41,000
10 Gbps $5,000 $51,300 $82,000 $82,000
Standard Circuit US$ Price Models for ExpressRoute
Premium Circuit Price Models for Azure Workloads
Unlimited Data Plan (Premium)
Circuit Size Zone 1 Zone 2 Zone 3
50 Mbps $ 375 $ 710 $ 972
100 Mbps $ 675 $ 1,405 $ 1,475
200 Mbps $ 1,300 $ 2,600 $ 3,520
500 Mbps $ 3,150 $ 6,000 $ 6,000
1 Gbps $ 6,450 $ 10,150 $ 10,150
2 Gbps $ 12,900 $ 19,650 $ 19,650
5 Gbps $ 28,650 $ 44,000 $ 44,000
10 Gbps $ 54,300 $ 85,000 $ 85,000
Data Transfer Pricing Zone 1: $0.025/GB, Zone 2: $0.050/GB, Zone 3: $0.140/GB
Metered Data Plan (Premium)
Cicuit Size Zone 1 Zone 2 Zone 3
50 Mbps $ 130 $ 155 $ 155
100 Mbps $ 200 $ 275 $ 275
200 Mbps $ 295 $ 445 $ 445
500 Mbps $ 690 $ 1,090 $ 1,090
1 Gbps $ 1,186 $ 1,886 $ 1,886
2 Gbps $ 2,372 $ 3,122 $ 3,122
5 Gbps $ 5,180 $ 5,180 $ 5,180
10 Gbps $ 8,000 $ 8,000 $ 8,000
The “meter” is for egress data. Data that leaves the Microsoft network back to the customer network is considered egress data.
Retiring due to ASM/ARM coexistenceLegend
How to get started workflow• Azure Subscription selected
and available• Network plan/design and
prerequisites done
• Install Azure PowerShell modules
• Install ASM Modules for ExpressRoute
• Install latest PowerShell• Install ARM modules for
Azure and Network• Create Resource Group
for the circuit
• Configure peerings*• O365/CRMOL• Azure PaaS
• Link VNETs for IaaS• Test connectivity
• Create the circuit via PowerShell or via GUI
• Send your ExpressRoute partner the Service Key and any other needed info
• Complete physical circuits/contracts with your Layer 2/Layer3 ER partner • ExpressRoute partner provisions
connectivity
ER partner work ASM specific
ARM specificGeneral Azure
Creating a circuit via portal.azure.com
• When creating ER gateway with GUI, it creates a BASIC SKU, 500Mbps max
• For higher speeds, use the PowerShell commands.
Olivier ’s ExpressRoute Cheat Sheet
Variables needed
VLAN IDCustomer routing subnets /29 or 2*
/30 (public IPs)I.J.K.L/30 M.N.O.P/30 Q.R.S.T/30 U.V.W.X/30
Customer routing subnet /29 or 2*/30
(private or public IPs)A.B.C.D/30 E.F.G.H/30
Microsoft ASN
ASN Registrar
Peering ASN
Customer ASN
Advertised Prefix List (for outbound)
NAT pool (for inbound)
VNET info
priv. or pub ASN (e.g., 65100 or pub. ASN)
Private Peer (IAAS)
N/A
12076
N/A
100
N/A
Customer SNAT prefixes (NAT Pool)
N/A
Microsoft Peer (O365, CRMOL)
102
12076
i.e. ARIN
100
priv. or pub ASN (e.g., 65100 or pub. ASN)
Customer SNAT prefixes (NAT Pool)10.0.0.0/8, 0.0.0.0/0, etc.
Gateway name & /27 or /26 subnet
100
Public Peer (PaaS)
101
12076
N/A
N/A N/A
NAT pool used for MS IPsN/A
i.e. ARIN
100
priv. or pub ASN (e.g., 65100 or pub. ASN)
Basic Info Circuit 1
Bandwidth 500
Peering Location Silicon Valley
ExpressRoute Partner Name
i.e. AT&T,
Verizon, Level3,
Equinix, etc.
Resource Group Name & Location
Customer
defined
Billing typeMetered or
unmetered
SKU TypeStandard or
Premium
Legend
Customer Specific
information - adapt to
specific requirements
ER Partner specific
info
Partner ContactsNimbo [email protected] ExpressRoute SI Partner
Perficient [email protected] ExpressRoute SI Partner
Project Leadership [email protected] ExpressRoute SI Partner
Aryaka [email protected] ExpressRoute Connectivity Partner
AT&T AT&T Information Request Form ExpressRoute Connectivity Partner
Comcast http://business.comcast.com/landingpage/microsoft-azure ExpressRoute Connectivity Partner
CoreSite [email protected] ExpressRoute Connectivity Partner
Equinix [email protected] ExpressRoute Connectivity Partner
Level 3 http://Level3.com/Azure ExpressRoute Connectivity Partner
Megaport [email protected] ExpressRoute Connectivity Partner
Orange [email protected] ExpressRoute Connectivity Partner
Tata [email protected] ExpressRoute Connectivity Partner
Verizon [email protected] ExpressRoute Connectivity Partner
Zayo [email protected] ExpressRoute Connectivity Partner
Riverbed [email protected] Network Virtual Appliance Partner
Barracuda [email protected] Network Virtual Appliance Partner
Check Point http://www.checkpoint.com/vsec Network Virtual Appliance Partner
ExpressRoute Checklist & Updated O365 Guidance
PDF version to be available at @ http://aka.ms/ERCheckList
Updated Office365 guidance @ http://aka.ms/EROimplementation
Customer’s network
Primary
circuit
Secondary
circuit
Partner Edge
Microsoft Edge
Traffic to public IP addresses in Azure
Traffic to Virtual Networks (VNets)
Traffic to Office 365 Services
Office in Los Angeles
10.1.0.0/16
AS 64496
Office in New York
10.2.0.0/16
AS 64496
Network carrier’s IP VPN or
Customers backbone network
Virtual Network
Virtual Network
Exp
ress
Ro
ute
Exp
ress
Ro
ute
ExpressRouteLos Angeles
ExpressRouteNew York
West US10.100.0.0/24
East US10.200.0.0/24
Microsoft’s
backbone network
Gateway Gateway
Range AS Path
10.1.0.0/16 64496
10.2.0.0/16 64496 64496
Range AS Path
10.1.0.0/16 64496 64496
10.2.0.0/16 64496
Range AS Path From
10.1.0.0/16 64496 LA
10.1.0.0/16 64496 64496 NY
10.2.0.0/16 64496 NY
10.2.0.0/16 64496 64496 LA
Office in Los Angeles
10.1.0.0/16
AS 64496
Office in New York
10.2.0.0/16
AS 64496
Network carrier’s IP VPN or
Customers backbone network
Virtual Network
Virtual Network
Exp
ress
Ro
ute
Exp
ress
Ro
ute
ExpressRouteLos Angeles
ExpressRouteNew York
West US10.100.0.0/24
East US10.200.0.0/24
Microsoft’s
backbone network
Gateway Gateway
Range AS Path
10.1.0.0/16 64496
10.2.0.0/16 64496 64496
Range AS Path
10.1.0.0/16 64496 64496
10.2.0.0/16 64496
Range AS Path From
10.1.0.0/16 64496 LA
10.1.0.0/16 64496 64496 NY
10.2.0.0/16 64496 NY
10.2.0.0/16 64496 64496 LA
©2016 Check Point Software Technologies Ltd. ©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content
vSEC for AzureAdvanced Threat Prevention Security for Public and Hybrid Clouds
NEW IT DEMANDS: CLOUD
Enable business agility,
streamline processes,
enhance competitive
advantages, and lower IT
costs
Cloud Myth: Network Security solutions don’t fit in Public / Hybrid Cloud architectures
Perception:
• Too dynamic (rapid adding/removing of VMs, subnets etc.) – while network security tools fail to make the needed modifications
• Network security solutions becomes a single point of failure and don’t support HA configuration
Reality: Network Security FITS in Hybrid Cloud Arch.
• Deployed in VMs within VNETs• Single or multiple NICs• Private or Public IPs
• Operate in HA mode in cloud
• Within VNET (HA-cluster)• Across availability-set
• Security policies updated automatically
• Auto-discovery of cloud assets (new VMs, subnets, etc) reflected in automated policy updates
Cloud Myth: Advanced Security models can’t be used in Public / Hybrid Clouds
Perception:• Micro-Segmentation can
only be achieved in private cloud – not in public cloud
Advanced security methods in Hybrid Clouds:
• Micro-Segmentation with Advanced Threat Prevention:
• Fine-tuned network segmentation, popular in private-cloud (SDN based) network
• Achieved inside VNET’s using network firewall and User-Defined Route (UDR) configurations
• Prevent lateral movement of threats within Hybrid Clouds
Reality: Advanced Security Seamlessly Deployed in Hybrid Clouds.
Check Point vSEC for Microsoft AzureAdvanced Threat Prevention Security for Hybrid Clouds
vSEC GATEWAY• Comprehensive protections
including: Firewall, IPS, AntiBot, AntiVirus, VPN, DLP and SandBlast Zero-Day Protections
• Secure traffic between applications in the hybrid cloud
vSEC CONTROLLER• Automated security with
unified management• Context-aware policies
leveraging Azure defined objects
• Consolidated logging and reporting across private, public and hybrid clouds
Prevent Lateral Movement of Threats
vSEC Gateway prevent lateral threat movement between applications inside hybrid clouds
Advanced Threat Prevention Security
Check Point Access Policy
Rule From To Application Action
3 Finance_App1(vCenter Object)
Database_Group
(NSX SecGroup)MSSQL Allow
4 HR_App2(Open StackObject)
Finance_Group(ACI EndPoint Group)
CRM Allow
5 User_ID SAP_App(Azure Object)
SAP Allow
Context-Aware Security Policies
Security policy with application identity tied to SDN and Cloud platforms
Flexible Delivery Models
BYOL requires an open server license. This offering gives you the flexibility to select the software blades you want as well as the level of support.
BYOLPAYG license means you pay an hourly-based fee depending on how long you use the image.
PAYG
Quickly Enable vSEC Advanced Security
Enable a Check Point Virtual Gateway in the Azure Cloud
Selected Desired Protection Levels1. 2.
AUTOMATED SECURITY FOR THE HYBRID CLOUD
ACI
ADVANCED SECURITY FOR ALL DATACENTER TRAFFIC
Protecting the Enterprise Cloud
©2016 Check Point Software Technologies Ltd. ©2016 Check Point Software Technologies Ltd. [Protected] Non-confidential content[Protected] Non-confidential content
THANK YOU
Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays