azure networking fridays · pdf fileapm access policy manager ... big-ip advanced firewall...
TRANSCRIPT
![Page 1: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/1.jpg)
Azure Networking Fridayswith the C+E Black Belts
Olivier Martin (@omartin) – Azure Networking Black Belt
Kevin Lopez (@kevlopez) – ER Partner Sales Executive
Jaime Schmidtke (@jaimesc) – ER Partner Sales Executive
![Page 2: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/2.jpg)
Before we get started
• Welcome customers and partners!!!
• Material is public information. No NDA info here.
• Use the IM window for questions.
• Sessions are recorded.
• We’ll post material @
http://aka.ms/AzureNetworkingFridays
![Page 3: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/3.jpg)
• Azure Networking from 0 to 60
• Azure Networking Partner Spotlight : F5 Big IP
• Deep dive topic of the week : • Guest Speaker : Telmo Sampaio (Principal Program Manager, Azure CAT)
• Open Q&A !
Agenda for October 28th, 2016
![Page 4: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/4.jpg)
Platform Services
Security & Management
Infrastructure Services
Web Apps
MobileApps
APIManagement
APIApps
LogicApps
NotificationHubs
Content DeliveryNetwork (CDN)
MediaServices
HDInsight MachineLearning
StreamAnalytics
DataFactory
EventHubs
MobileEngagement
ActiveDirectory
Multi-FactorAuthentication
Automation
Portal
Key Vault
BiztalkServices
HybridConnections
ServiceBus
StorageQueues
Store /Marketplace
HybridOperations
Backup
StorSimple
SiteRecovery
Import/Export
SQLDatabase
DocumentDB
RedisCache Search
Tables
SQL DataWarehouse
Azure AD Connect Health
AD PrivilegedIdentity Management
OperationalInsights
CloudServices
Batch Remote App
ServiceFabric Visual Studio
ApplicationInsights
Azure SDK
Team Project
VM Image Gallery& VM Depot
![Page 5: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/5.jpg)
![Page 6: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/6.jpg)
BGP for redundant paths and dynamic routingAutomatic shortest path selection and failover
Transit over Microsoft global networkSecure connectivity using Internet only for “last mile”
![Page 7: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/7.jpg)
Support on-premises network with multiple ISPs and VPN devices
![Page 8: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/8.jpg)
From active-standby to active-active
Support both cross-premises and VNet-to-VNet connectivity
Spreading traffic over multiple tunnels simultaneously
![Page 9: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/9.jpg)
Atlanta
Chicago
Los Angeles
Seattle
Silicon Valley Washington DC
AmsterdamDublin
London
Sao Paulo
Chennai
Hong Kong
Mumbai
Melbourne
Osaka
Singapore
Sydney
TokyoLas Vegas
TorontoMontreal
Quebec City
New York City
Dallas
Newport, WalesParis Beijing
Shanghai
Berlin
Frankfurt
Dallas
Washington DC
New York
Chicago
US Government
Germany
China
![Page 10: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/10.jpg)
![Page 11: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/11.jpg)
Azure Active Directory
Azure subscription
Azure subscription
Azure subscription
AccessControl
AccessControl
AccessControl
Virtual Network Virtual Network Virtual NetworkVirtual Network
FW FW
IIS IIS
SQL
IIS IIS
SQL
FW FW
IIS IIS
SQL
FW FW
IIS IIS
SQLExpressRoute ExpressRoute
Internet Internet Internet Internet
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
Azure load balancer
![Page 12: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/12.jpg)
![Page 13: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/13.jpg)
![Page 14: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/14.jpg)
ExpressRoute and Virtual Appliance Partner ContactsEquinix Professional Services [email protected] ExpressRoute SI Partner
Perficient [email protected] ExpressRoute SI Partner
Project Leadership [email protected] ExpressRoute SI Partner
Aryaka [email protected] ExpressRoute Connectivity Partner
AT&T AT&T Information Request Form ExpressRoute Connectivity Partner
Cologix [email protected] ExpressRoute Connectivity Partner
Comcast http://business.comcast.com/landingpage/microsoft-azure ExpressRoute Connectivity Partner
CoreSite [email protected] ExpressRoute Connectivity Partner
Equinix [email protected] ExpressRoute Connectivity Partner
Level 3 http://Level3.com/Azure ExpressRoute Connectivity Partner
Megaport [email protected] ExpressRoute Connectivity Partner
Orange [email protected] ExpressRoute Connectivity Partner
Tata Communication [email protected] ExpressRoute Connectivity Partner
Verizon [email protected] ExpressRoute Connectivity Partner
Zayo [email protected] ExpressRoute Connectivity Partner
Barracuda [email protected] Network Virtual Appliance Partner
Check Point http://www.checkpoint.com/vsec Network Virtual Appliance Partner
F5 [email protected] Network Virtual Appliance Partner
Riverbed [email protected] Network Virtual Appliance Partner
![Page 15: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/15.jpg)
Partner Spotlight :
![Page 16: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/16.jpg)
F5 | Microsoft Azure Solutions Overview
Gregory Coward, Solutions Architect, F5 Business Development
[email protected] – Technical [email protected] – Sales Follow-up
![Page 17: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/17.jpg)
“Leverages the same user interface, management, and breadth of features as on BIG-IP Hardware”
BIG-IP L4-L7 Services in Azure
Advanced Global Server Load Balancing
Remote Access, Pre-Authentication, SSO, and
Multi-Factor Authentication
SAML 2.0 Federation IdP/SP
ICSA Certified Web Application Firewall / WAF
ICSA Certified L3/4 Network Firewall
Intelligent L7 Load Balancing
F5 | The BIG-IP in Azure “Available in Classic and ARM modes”
![Page 18: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/18.jpg)
F5 | BIG-IP MODULES
![Page 19: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/19.jpg)
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
High Performance Fabric
TMOS
PERFORMANCE AVAILABLITY SECURITY
LTM
LTM
• Intelligent L4-L7 Load Balancing
• Traffic Optimization - (Caching & Compression)
• Deep Packet Inspection
• Intelligent Traffic Steering
• Full-Proxy Architecture
Local Traffic Manager
DNS
DNS
• Global Server Load Balancing (GSLB)
• Application availability Awareness
• Geolocation
• DNS services
• DNSSEC
Global Traffic Manager
APM Access Policy Manager
• Strategic Point of Control for Application Delivery
• Multi-Factor = Integrates with RSA, SecurID,
RADIUS, OTP, certificates, etc.
• Device-based access controls
• Single Sign-On (SSO)
F5 | BIG-IP Modules
APM
![Page 20: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/20.jpg)
ASM
• ICSA Labs Certified Layer 7 firewall
• Web Application Firewall
• Positive and Negative Security Models
• Mitigate Layer 7 attacks – DDoS, SQL injection,
OWASP Top Ten
Application Security Manager
AFM
• ICSA Labs Certified
• Stateful firewall
• Processes 8x more traffic than closest competitor
• Access rules applied at multiple levels, (virtual
server, VLAN, route domain)
Advanced Firewall Manager
AAM Application Acceleration Manager
• Web performance optimization
• Mobile optimization
• WAN Optimization
• SaaS acceleration
F5 | BIG-IP Modules
VIPRION PlatformBIG-IP PlatformBIG-IP Virtual Edition
High Performance Fabric
TMOS
PERFORMANCE AVAILABLITY SECURITY
LTM
DNS
APM
ASM
AFM
AAM
![Page 21: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/21.jpg)
F5 | BIG-IP In Azure
![Page 22: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/22.jpg)
F5 | The BIG-IP in Azure
Technical Specifics and Limitations• Functions as any other Linux-based VM deployment
• Availability Sets
• Azure native HA/LB
• User Defined Routing
• Single-NIC & Multi-NIC deployments
• DHCP by default and only option via Azure Web Portal
• Static IP can be configured via PowerShell
• Each Host (including BIGIP) is limited to 1 External IP.
• Automatically assigned
• Utilizes DNAT
• Public IP addresses can be dynamic or static
![Page 23: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/23.jpg)
F5 | The BIG-IP in Azure
Technical Specifics and Limitations• Deploys pre-configured with VLAN and Self-IP
• Initial deployment/configuration has idiosyncrasies
• Deployed via PowerShell or Web Portal
• Maximum Throughput per instance 1GB*
• Can be deployed in a variety of Virtual Machine sizes, (minimum 1core, 1.75GB)
Multi-NIC Version Available
• Still limited to one external facing IP
• Must be installed via PowerShell, CLI, ARM templates
* Higher throughput possible via larger instance sizes and/or multi-NIC
![Page 24: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/24.jpg)
F5 | Azure Security Center Deployment
![Page 25: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/25.jpg)
• BIG-IP VE w/ASM as a service
• Three levels of WAF Policy Enforcement
• Currently only supported in ARM mode
• 1 to 2 instances can be deployed
• One Application per WAF deployment
• BYOL
F5 | Azure Security Center
WAF Considerations
![Page 26: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/26.jpg)
F5 | User Experience Demo
![Page 27: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/27.jpg)
End Users
Internet
LTM
APM
BIG-IP Global Traffic Manager
BIG-IP Local Traffic Manager
BIG-IP Access Policy Manager
BIG-IP Application Security Manager
BIG-IP Advanced Firewall Manager
DNS
ASM
AFM
Europe
F5 | The BIG-IP in Azure – DEMO
![Page 28: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/28.jpg)
![Page 29: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/29.jpg)
Technical Deep Dive with special guest :
Telmo SampaioSenior Program Manager, Azure CAT
![Page 30: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/30.jpg)
Reference Architectures: Goal
• Proven by AzureCAT customers
• Golden path per each scenario with recommendations and considerations
• ARM templates to provision recommended architecture
![Page 31: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/31.jpg)
Reference ArchitecturesRunning virtual machines on Azure:
• Running a Windows VM on Azure
• Running a Linux VM on Azure
• Running multiple VMs for scalability and availability
• Running VMs for an N-tier architecture
• Adding reliability to an N-tier architecture (Windows)
• Adding reliability to an N-tier architecture (Linux)
• Running VMs in multiple regions for high availability (Windows)
• Running VMs in multiple regions for high availability (Linux)
Hybrid network architectures:
• Implementing a hybrid network architecture with Azure and on-premises VPN
• Implementing a hybrid network architecture with Azure ExpressRoute
• Implementing a highly available hybrid network architecture
• Implementing a DMZ between Azure and your on-premises datacenter
• Implementing a DMZ between Azure and the Internet
Identity:
• Extending Active Directory to Azure
• Implementing a secure hybrid network architecture with federated identities in Azure
Web applications (PaaS):
• Basic web application
• Improving scalability in a web application
• Web application with high availability
![Page 32: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/32.jpg)
From RAs to composable elementsAzure Vnet
10.0.0.0/16
Management subnet
10.0.0.128/25
Jump box Monitoring
NSG
Web tier
10.0.1.0/24
Availability
setNSG
Business tier
10.0.2.0/24
Availability
setNSG
Data tier
10.0.3.0/24
Availability
setNSG
PIP
DevOps
PIP
Rep
lica
tio
n
Azure Vnet
10.0.0.0/16
Gateway subnet
10.0.255.224/27
VPN Gateway
Management subnet
10.0.0.128/25
Jump box Monitoring
NSG
On-premises network
192.168.0.0/16
Gateway
Web tier
10.0.1.0/24
Availability
setNSG
Business tier
10.0.2.0/24
Availability
setNSG
Data tier
10.0.3.0/24
Availability
setNSG
Azure Vnet
10.0.0.0/16
Gateway subnet
10.0.255.224/27
UDR
Private DMZ in
10.0.0.0/27
Internal load
balancer
N
I
C
N
I
C
Private DMZ out
10.0.0.32/27
NVA
NVA
NSGN
I
C
N
I
C
NSG
Management subnet
10.0.0.128/25
Jump box Monitoring
NSG
Public DMZ in
10.0.0.64/27
N
I
C
N
I
C
Public DMZ out
10.0.0.96/27
NVA
NVA
NSGN
I
C
N
I
C
NSGPIP
PIP
Web tier
10.0.1.0/24
Availability
set
AD FS proxy subnet
10.0.4.128/27
Availability
set
Availability
set
Availability
set
NSG
NSG
Business tier
10.0.2.0/24
Availability
setNSG
Data tier
10.0.3.0/24
Availability
setNSG
AD FS subnet
10.0.4.32/27
Availability
setNSG
AD DS subnet
10.0.4.0/27
Availability
setNSG
On-premises network
192.168.0.0/16
Gateway
Partner network
Federation server
Trust relationship
Web app request
Federated authentication request
Authentication request
![Page 33: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/33.jpg)
Open Q&A
![Page 34: Azure Networking Fridays · PDF fileAPM Access Policy Manager ... BIG-IP Advanced Firewall Manager DNS ASM AFM Europe F5 | The BIG-IP in Azure –DEMO. Technical Deep Dive with special](https://reader034.vdocuments.net/reader034/viewer/2022051507/5a7238937f8b9abb538d5c11/html5/thumbnails/34.jpg)
Thank you!Session recording will be posted shortly here :http://aka.ms/AzureNetworkingFridays