Azure Network Topology Document Extracts and Notes

Azure Network Topology

• Two core approaches: traditional and Azure Virtual WAN
• The above document has a topology diagram for each model.

Feature	Traditional Azure Network Topology	Azure Virtual WAN Network Topology
Highlights	Customer-managed routing and security An Azure subscription can create up to 50 vnets across all regions. Vnet Peering links two vnets either in the same region or in different regions and enables you to route traffic between them using private IP addresses (carry a nominal charge). Inbound and outbound traffic is charged at both ends of the peered networks. Network appliances such as VPN Gateway and Application Gateway that are run inside a virtual network are also charged. Azure Virtual Network Pricing	A Microsoft-managed networking service providing optimized and automated branch to branch connectivity through Azure. Virtual WAN allows customers to connect branches to each other and Azure, centralizing their network and security needs with virtual appliances such as firewalls and Azure network and security services. Azure Virtual WAN Pricing
Deployment	Customized deployment with routing and security managed by the customer Virtual Network documentation – Plan virtual networks – Tutorial: Filter network traffic with a network security group using the Azure portal	Microsoft-managed service Virtual WAN documentation – Tutorial: Create an ExpressRoute association to Virtual WAN – Azure portal – Other tutorials include site-to-site and point-to-site connections
Interconnectivity	Traffic between two virtual networks across two different Azure regions is expected. Full mesh network across all Azure regions is not required.	Global connectivity between vnets in these Azure regions and multiple on-premises locations.
IPsec Tunnels	Fewer than 30 IPsec Site-to-Site tunnels are needed.	More than 30 branch sites for native IPsec termination.
Routing Policy	Full control and granularity for manually configuring your Azure network routing policy.	Not applicable
Data Collection	Collects data from servers and Kubernetes clusters.	Collects data from servers and Kubernetes clusters.
Data Storage	Stores data in Log Analytics workspace or customer’s own storage account.	Stores data in Log Analytics workspace or customer’s own storage account.
Data Analysis and Visualization	Uses Log Analytics for analysis and visualization of collected data.	Uses Azure Monitor for analysis and visualization of collected data.

Additional Information

• Hub-spoke network topology in Azure
• Hub-spoke network topology with Azure Virtual WAN
• Patterns for inter-spoke networking

WHERE TO START AZURE

If you have basic understanding of cloud computing, while new to Azure, I recommend starting with the following:

• Bookmark Azure documentation for finding all published Azure product documents including tutorials, demos, sample scripts/code, etc., if not sure where to start.
• If already with an Azure subscription, use Quickstart Center – Microsoft Azure and select Azure Setup Guide. If not, may test it out with a free trial account.
• Review Azure Architecture Center and explore architectures and guides for different technologies.
• Prepare for cloud adoption – Cloud Adoption Framework
  • Azure setup guide overview – Cloud Adoption Framework
  • A starting point for readiness guidance in the Cloud Adoption Framework

I believe less is more. The above should be sufficient to get you situated.

IT Pros’ Job Interview Cheat Sheet of Multi-Factor Authentication (MFA)

Internet Climate

Recently, as hacking has become a business model and identity theft an everyday phenomenon, there is increasing hostility in Internet and an escalating concerns for PC and network securities. No longer is a long and complex password sufficient to protect your assets. In addition to a strong password policy, adding MFA is now a baseline defense to better ensure the authenticity of an examined user and an effective vehicle to deter fraud.

Market Dynamics

Furthermore, the increasing online ecommerce transactions, the compliance needs of regulated verticals like financial and healthcare, the unique business requirements of market segments like the gaming industry, the popularity of smartphones, the adoption of cloud identity services with MFA technology, etc. all contribute to the growth of MFA market. Some market research published in August of 2015 reported that “The global multi-factor authentication (MFA) market was valued at USD 3.60 Billion in 2014 and is expected to reach USD 9.60 Billion by 2020, at an estimated CAGR of 17.7% from 2015 to 2020.”

Strategic Move

While mobility becomes part of the essential business operating platform, a cloud-based authentication solution offers more flexibility and long-term benefits.The is apparent The street stated that

“Availability of cloud-based multi-factor authentication technology has reduced the maintenance costs typically associated with hardware and software-based two-factor and three-factor authentication models. Companies now prefer adopting cloud-based authentication solutions because the pay per use model is more cost effective, and they offer improved reliability and scalability, ease of installation and upgrades, and minimal maintenance costs. Vendors are introducing unified platforms that provide both hardware and software authentication solutions. These unified platforms are helping authentication vendors reduce costs since they need not maintain separate platforms and modules.”

Disincentives

Depending on where IT is and where IT wants to to be, the initial investment may be consequential and significant. Adopting various technologies and cloud computing may be necessary, while facing resistance to change in corporate IT cultural.

Snapshot

The following is not an exhaustive list, but some important facts, capabilities and considerations of Windows MFA.

Closing Thoughts

MFA helps ensure the authenticity of a user. MFA by itself nevertheless cannot stop identity theft since there are various ways like key logger, phishing, etc. to steal identity. Still, as hacking has become a business model for some underground industry, and even a military offense, and credential theft has been developed as a hacking practice, it is not an option to operate without a strong authentication scheme. MFA remains arguably a direct and effective way to deter identity theft and fraud.

And the emerging trend of employing biometrics, instead of a password, with a key-based credential leveraging hardware and virtualization-based security like Device Guard and Credential Guard in Windows 10 further minimizes the attack surface by ensuring hardware boot integrity and OS code integrity, and allowing only trusted system applications to request for a credential. Device Guard and Credential Guard together offers a new standard in preventing PtH which is one of the most popular types of credential theft and reuse attacks seen by Microsoft so far.

Above all, going forward we must not consider MFA as an afterthought and add-on, but an immediate and imperative need of a PC security solution. IT needs to implement MFA sooner than later, if not already.

My Presentation at The Univ. of Texas at Arlington

It is a great pleasure to have an opportunity to meet the wonderful and vibrant student community and speak about cloud computing at UTA on October 8, 2015. I focused on making the point of why cloud and why now, demonstrated with the ability to constructing computing fabric and deploying application on demand.

http://www.microsoft.com/feeds/omni_external_blogs.js

Additional resources:

• Cloud computing for IT pros
• A Memorandum to IT Pros on Cloud Computing
• Another Memorandum to IT Pros on Cloud Computing
• Cloud Computing Goes Far Beyond Virtualization

Moving Data In, Out and Between Azure Storage Accounts Using AzCopy

http://www.yungchou.net/2015/09/27/moving-data-in-out-and-between-azure-storage-accounts-using-azcopy//

Try It Yourself – Configure a Point-to-Site VPN Connection to a Virtual Network (3-Part video Series)

This connection is very easy to understand and implement. Point-to-Site (or P2S) here refers as a connection between a single device (namely a connection point) and an Azure virtual network (vnet) site.

A P2S connection requires a subnet defined within the target Azure vnet site. If to examine from a connected Azure vnet site, a connecting device automatically allocates an IP within the defined P2S subnet and connects to the site via a VPN connection.

Technically, a P2S connection is specific to, not the physical but logical device which is the OS instance which a connecting physical device is running on, since the connection is based on a-private-and-a-public key pair generated with the OS. At this time, Azure P2S supports only self-signed certificates, and the x.509 certificate (i.e. a public key) of an employed key pair resides in a target Azure vent site, while the certificate of PFX format (i.e. a certificate exported with a private key) should be installed at a connecting device. An administrator can configure an Azure P2S connection by:

1. First enabling P2S connectivity and defining a P2S subnet associated with a target Azure vnet site
2. Generating an x.509/PFX certificate pair
3. Uploading the x.509 certificate to the site
4. Distributing to and installing the PFX certificate on intended (logical) devices
5. Initiating a connection from a logical device

Although one x.509-and-PFX-certificate-pair is sufficient to establish a P2S connection between an Azure vnet site with multiple devices by uploading an x.509 certificate to a target Azure vent site and employing/installing the associated PFX file on all connecting devices. The best practices is to employ a unique certificate pair for each connecting device to better secure the P2S environment.

Here are the Azure documentation page and complementary videos to walk through the processes and operations to

1. Create a virtual network and a VPN gateway (video)
2. Create your certificates (video)
3. Configure your VPN client (video)

Essentials for Realizing Azure Baseline Costs

Subscription and Service Limits, Quotas, and Constraints (http://aka.ms/Limits)

This is a must-bookmarked page to find out, for instance:

• Total cpu cores a subscription can consume
• The number of endpoints a VM can have.
• The bandwidth an Azure website may provide.
• Total VMs a virtual network may host.
• Total TB per storage account
• Maximum of objects in Azure Active Directory

Azure Pricing Model (http://aka.ms/AzurePricing)

This is where to find detailed Azure pricing information of Azure services with options like pay-as-you-go, Microsoft resellers, and enterprise agreements. A good reference this is. Keep it handy.

Azure Pricing Calculator (http://aka.ms/Calculator)

This is a what-if analysis tool. How will the costs be different when changing your deployment plan from 3 small Linux VMs to 2 Large ones, deploying Oracle Weblogic server with A5 instead of A8, and replacing locally-redundant storage with geo-redundant storage? Just drag the slide bar on each category and one can realizing the combined baseline costs form the number shown under full calculator.

There is also a VM calculator (http://aka.ms/AzureVMCalculator) to better understand the cost implementations on VM, bandwidth, support, etc. with Azure Infrastructure Services.

Azure SLAs (http://aka.ms/AzureSLAs)

Do examine the SLAs from a cloud vendor including those of Microsoft’s. Cloud computing is emerging and the business model continues evolving. SLAs are not all created equal. Pay attention to the fine print. Understand what does and what does not count as an outage and when there is one how a subscriber is compensated. Following your flow of data, the overall SLA is the service with the lowest SLA along the path.

Azure Support Options (http://aka.ms/AzureSupportOptions)

Support costs will have impact on the business values of an application throughout the lifecycle. Not just the support subscription costs, but also the associated activities to initiate, monitor, manage, and document support activities.

Azure Compliance Page (http://aka.ms/AzureCompliance)

For some industries, if it is not compliant, there is really no point of investigating the cost of a solution. If compliance is a requirement, investigate early. For Azure, this page lists out all the achieved certificates. Pay attention to those referenced links like Azure HIPAA Implementation Guidance. Some specifically document the implementations for a cloud applications to become compliant.

Closing Thoughts

Cloud is about the ability to deliver instant gratification, and grow or shrink the capacity based on demand. Those days of rolling out a patch in 6 weeks, deploying a branch office in 3 months, building a cluster in two weeks, are long gone. The delivery needs to be on demand, in the next hour, within a half-day, or something relatively quick.

At the same time, cloud is not an one-size-fits-all platform. And there are legitimate reasons not to deploy resources in cloud. Get all the facts, learn how cloud works, and assess the risks. Know what you pay for, set a realistic expectation, then cloud responsibly and happily.

So where to start? Learning by practicing is what I recommend. For those who do not subscribe MSDN which offers Azure monthly usage credit, sign up a 30-day free trial at http://aka.ms/Azure200 and follow http://aka.ms/Azure101Series and http://aka.ms/Azure102Series to start making cloud work for you. Use Azure as your datacenter, your global networks, and your colossal storage drive in cloud.

Microsoft Azure 102 – Installing and Configuring Azure PowerShell

In this presentation, screen by screen I walked through the installation and configuration of Azure PowerShell. There are two ways to connect PowerShell with an Azure subscription. One uses Azure Active Directory and the other is with a publish-settings file. Both are detailed in this delivery. I also demonstrated a simple routine to remotely stop and deallocate a VM instance with Azure PowerShell cmdlets.

To benefit most form this content, you should have already reviewed Azure 101 Series, http://aka.ms/Prerequisites, which is a prerequisite for those to attend Microsoft IT Camp or Azure-related events

Microsoft Azure 101 (Part 3/3) – Cloud Service and Virtual Machine Essentials

This Azure 101 series presents a set of core competencies of Microsoft Azure for IT professionals and serves as prerequisites (http://aka.ms/Prerequisites) for attending Microsoft events relevant to Microsoft Azure including:

• Virtual network
• Storage account
• Cloud service and virtual machine (This post)

In each topic, I walked through the specifics of processes and steps with screen-to-screen details of examined scenarios. This post is specific to Microsoft Azure cloud service model, VM deployment and user experience.

Microsoft Azure 101 (Part 2/3) – Storage Account Essentials

 

This Azure 101 series presents a set of core competencies of Microsoft Azure for IT professionals and serves as prerequisites (http://aka.ms/Prerequisites) for attending Microsoft events relevant to Microsoft Azure including:

• Virtual network
• Storage account (This post)
• Cloud service and virtual machine

In each topic, I walked through the specifics of processes and steps with screen-to-screen details of examined scenarios. This post is specific to creating a Microsoft Azure storage account with redundancy options and user experience.