Azure IaaS 네트워크

아키텍처머리부터발끝까지

Pyungrae Cho

Premier Field Engineer

Microsoft Korea

Virtual Machine 보다 Virtual Network 을 먼저!!!

Network 부터 만들자!!!

어떻게 만들까?

On-Premise Network Azure Network

Infrastructure Services

What is Azure?

Platform ServicesSecurity & Management

Web Apps

MobileApps

APIManagement

APIApps

LogicApps

NotificationHubs

Content DeliveryNetwork (CDN)

MediaServices

HDInsight MachineLearning

StreamAnalytics

DataFactory

EventHubs

MobileEngagement

Azure ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

BiztalkServices

HybridConnections

ServiceBus

StorageQueues

Store /Marketplace

HybridOperations

Backup

StorSimple

SiteRecovery

Import/Export

SQLDatabase

DocumentDB

RedisCache Search

Tables

SQL DataWarehouse

Azure AD Connect Health

Azure AD PrivilegedIdentity Management

OperationalInsights

CloudServices

Batch Remote App

ServiceFabric Visual Studio

ApplicationInsights

Azure SDK

Team Project

VM Image Gallery& VM Depot

Infrastructure Services

What is Azure?

Platform ServicesSecurity & Management

Web Apps

MobileApps

APIManagement

APIApps

LogicApps

NotificationHubs

Content DeliveryNetwork (CDN)

MediaServices

HDInsight MachineLearning

StreamAnalytics

DataFactory

EventHubs

MobileEngagement

Azure ActiveDirectory

Multi-FactorAuthentication

Automation

Portal

Key Vault

BiztalkServices

HybridConnections

ServiceBus

StorageQueues

Store /Marketplace

HybridOperations

Backup

StorSimple

SiteRecovery

Import/Export

SQLDatabase

DocumentDB

RedisCache Search

Tables

SQL DataWarehouse

Azure AD Connect Health

Azure AD PrivilegedIdentity Management

OperationalInsights

CloudServices

Batch Remote App

ServiceFabric Visual Studio

ApplicationInsights

Azure SDK

Team Project

VM Image Gallery& VM Depot

7

Networking

VNet 에서 시작하자

• 논리적격리 (Router = VNet)

• 공용환경에서안정성보장

• VNet 간모든통신불가

• 별도허용구성필요

• 다중서브넷사용가능

• 같은 VNet 내 Subnet 간모든통신허용

• 별도차단구성필요

Virtual Network

VNet 0

On-Premise (Router) VNet 1

Virtual Network

VNet 을 연결하자

Virtual Network Connectivity

Virtual Network Gateway

• VNet to On-premises 또는 VNet to VNet 을 연결해 주는 가상 장치

• Virtual Gateway Size

• Virtual Gateway Type (VPN, ExpressRoute)

Size Type Co-existGateway Throughput

VPN Gateway Max TunnelsExpressRoute VPN

Basic No 500 Mbps 100 Mbps 10

Standard Yes 1000 Mbps 100 Mbps 10

Performance Yes 2000 Mbps 200 Mbps 30

Point-to-Site

• 공용 인터넷 으로 On-Premise 특정 Clients ↔ VNet 연결

• 인증서 기반 VPN 터널을 통한 보안 연결

Microsoft Confidential

Root CertClient Cert

Point-to-Site

Site-to-Site (VPN)

• 공용 인터넷 으로 On-Premise Network ↔ VNet 연결

• IPsec/IKE(IKEv1 또는 IKEv2) VPN 터널을 통한 보안 연결

• 단일 또는 멀티 사이트 연결 가능

Microsoft Confidential

On-premises

Your datacenter

Hardware VPN or Windows RRAS

Windows Azure

Virtual Network

<subnet 1> <subnet 2> <subnet 3>

DNS Server

VPN Gateway

Site-to-Site (VPN)

Site-to-Site (VPN)

• Validated VPN Devices

https://docs.microsoft.com/ko-kr/azure/vpn-gateway/vpn-gateway-about-vpn-devices

ExpressRoute circuit

• 전용 회선 으로 On-Premise Network ↔ VNet 연결• Seoul (KINX, Sejong Telecom)

• Busan (LG CNS+, Sejong Telecom)

• ExpressRoute Size (Standard, Premium)

• Billing Model (Unlimited, Metered)

BandwidthNumber of VNet Links

Standard Premium

50 Mbps 10 20

100 Mbps 10 25

200 Mbps 10 25

500 Mbps 10 40

1 Gbps 10 50

2 Gbps 10 60

5 Gbps 10 75

10 Gbps 10 100

Site-to-Site (ExpressRoute)

Site-to-Site (ExpressRoute)

• Router configuration

https://docs.microsoft.com/ko-kr/azure/expressroute/expressroute-config-samples-routing

https://docs.microsoft.com/ko-kr/azure/expressroute/expressroute-config-samples-nat

https://docs.microsoft.com/en-us/azure/expressroute/expressroute-locations

Site-to-Site (Coexistence)

• ExpressRoute 와 VPN을 이용하여 다중 사이트를 연결 (On-Premise 규모 고려)

Site-to-Site (Failover)

• ExpressRoute 와 VPN을 Dual 구성하여 Network 회선에 대한 장애 조치 구성 가능

VNet-to-VNet

• 동일한 또는 서로 다른 Region에 위치한 VNet ↔ VNet 연결

• IPsec/IKE(IKEv1 또는 IKEv2) VPN 터널을 통한 보안 연결

• 단일 또는 멀티 VNet 연결 가능

VNet Peering

• 별도 Gateway 구성 없이 VNet 사이 Private IP 로 통신 가능

• Low-Latency, High-Bandwidth

• 하지만,,, 동일한 Azure Region 에서만 사용 가능

VNet Peering (Hub and Spoke)

Network을 제어하자

Layered Security on Azure

NSG

Network Security Groups

• Azure 가 제공하는 Firewall

• InBound, OutBound,

• Priority

• Source IP/Port, Destination IP/Port, Protocol

• Allow, Deny

• ACL 제어• Single VM

• Single Subnet

• Both Single VM and Single Subnet

※ Not VM Windows Firewall

• 활용• Internet 및 Intranet(VNet) 트래픽 통제

• Support DMZ Zone

Network Security Groups (Rules)

• Inbound & Outbound, Allow & Deny

• Default Rules

Demo : Deploy VNet, Subnet and NSGFor Powershell

Network을 분산하자

Load Balancer

• 정의된서비스(Web, DB, Application …)를운영중인여러 Instance 들간에

들어오는트래픽을분산하고장애조치하는서비스, 즉 L4 스위치 = Load Balancer

• Frontend = Public IP, Backend = VM

Load Balancer (Type)

• Internet Load Balancer

• Public IP, 인터넷 환경에서

들어오는 트래픽 분산

• Internal Load Balancer

• Private IP, 클라우드 내부 및

VPN을 통한 네트워크에서

들어오는 트래픽 분산

Microsoft Confidential

DNS

DNS

• DNS 도메인을 Azure에 호스팅하여 사용

Microsoft Confidential

Traffic Manager

• DNS 트래픽 에 대한 밸런싱을 위해 Traffic Manager를 사용

Microsoft Confidential

Traffic Manager (Work)

Microsoft Confidential

Traffic Manager (Routing Method)

• Priority : 정해진 우선 순위로 라우팅, 동일한 우선 순위는 불가

• Weight : 가중치를 기준으로 라우팅, 동일한 가중치는 트래픽 균등 분산

• Performance : 응답속도를 기준으로 라우팅

Demo : DNS & Load Balancer

Thank you