Networking on Azure PaaS

Transcript

1. @erwin_staal 1 Networking on Azure PaaS Erwin Staal @erwin_staal

2. @erwin_staal 2 2 Erwin Staal AZURE ARCHITECT DEVOPS CONSULTANT

3. @erwin_staal 3 3 Erwin Staal AZURE ARCHITECT DEVOPS CONSULTANT

4. @erwin_staal Why Networking? The Payment Card Industry (PCI) Data Security

   Standards (DSS) blueprint

5. @erwin_staal Our goal for today

6. @erwin_staal Our goal for today

7. @erwin_staal Virtual Network basics › RFC1918 Subnets › 10.0.0.0 –

   10.255.255.255 (10/8 prefix) › 172.16.0.0 – 172.31.255.255 (172.16/12 prefix) › 192.168.0.0 – 192.168.255.255 (192.168/16 prefix) › Smallest: /29 -> 3 hosts › 5 IP-addresses are reserved by Azure › x.x.x.0: Network address › x.x.x.1: Reserved by Azure for the default gateway › x.x.x.2, x.x.x.3: Reserved by Azure to map the Azure DNS IPs to the VNet space › x.x.x.255: Network broadcast address

8. @erwin_staal Virtual Network peering › Connect two or more Virtual

   Networks › Virtual network peering: Connect virtual networks within the same Azure region › Global virtual network peering: Connecting virtual networks across Azure regions › Traffic remains on the Microsoft network

9. Demo

10. @erwin_staal Private Endpoint › Access Azure PaaS Services over a

    private endpoint › Choose to remove public IP on PaaS service › Traffic remains on the Microsoft network › Integration with on-premises and peered networks

11. @erwin_staal Private Endpoint Azure Storage All public regions GA Azure

    Data Lake Storage Gen2 All public regions GA Azure SQL Database All public regions GA Azure Synapse Analytics All public regions GA Azure Cosmos DB All public regions GA Azure Database for PostgreSQL - Single server All public regions GA Azure Database for MySQL All public regions GA Azure Database for MariaDB All public regions GA Azure Key Vault All public regions GA Azure Kubernetes Service - Kubernetes API All public regions GA Azure Search All public regions GA Azure Container Registry All public regions GA Azure App Configuration All public regions GA Azure Event Hub All public regions GA Azure Service Bus All public regions GA Azure Relay All public regions GA Azure Event Grid All public regions GA Azure Web Apps All public regions GA

12. Demo

13. @erwin_staal App Service VNet Integration › Lets your App Service

    join a vnet(subnet) for egress › Two flavours: › Regional virtual network integration › Allows you to access resources in your vnet in the same region › Gateway-required virtual network integration › Allows you to access resources in other regions › You can block outbound traffic with an NSG

14. Demo

15. @erwin_staal Service Endpoint › Provides secure and direct connection to

    Azure services › Traffic from your VNet to the Azure service remains on the Microsoft network › Lock down access to e.g. a Web App to specific VNet

16. @erwin_staal Service Endpoint › Azure Storage › Azure SQL Database

    › Azure SQL Data Warehouse › Azure Database for PostgreSQL server › Azure Database for MySQL server › Azure Database for MariaDB › Azure Cosmos DB › Azure Key Vault › Azure Service Bus › Azure Event Hubs › Azure Data Lake Store Gen 1 › Azure App Service › Azure Cognitive Services › Public Preview: Azure Container Registry

17. @erwin_staal Access Retriction on Web Apps › Define a priority

    ordered allow/deny list that controls network access to your app › IP addresses (IPv4, IPv6), Azure Virtual Network subnets or Service Tag

18. Demo

19. @erwin_staal Private Endpoint vs Service Endpoint Private Endpoint Service Endpoint

    Access through private IP Address Access through public IP Address Access form within Azure and on-premises to PaaS Access to PaaS in Azure More difficult to setup Easier to setup You need to own both sides* You do not need to own both sides Traffic remains on the Microsoft backbone 19 * Strictly speaking not true, but…

20. @erwin_staal Static outbound IP address › Using a NAT gateway

    › Static predictable IP address (up to 16) › In case of an App Service: much higher number of SNAT ports

21. Demo

22. @erwin_staal Azure Bastion › Provides secure RDP and SSH connectivity

    to VMs › Uses an HTML5 based web client that streams to your local device › No public IP is required on the Azure VM › No open RDP / SSH ports to the internet › Use the Azure Portal or Native Client 22

23. @erwin_staal VNet VPN Gateway › Virtual network gateway used to

    send encrypted traffic between › Azure virtual network and an on-premises location › Azure virtual networks over the Microsoft network › Site-to-Site and Multi-Site › VNet-to-VNet connections › ExpressRoute › Point-to-Site VPN › Certificate › Azure AD › RADIUS › OpenVPN

24. @erwin_staal Third Party solutions

25. @erwin_staal Third Party solutions

26. @erwin_staal Private DNS in Azure 26

27. @erwin_staal Azure DNS Private Resolver 27

28. @erwin_staal Azure DNS Private Resolver › Query Azure DNS private

    zones from an on-premises environment › Conditionally forward DNS requests to on-premises DNS servers › Fully managed: Built-in high availability, zone redundancy. › Cost reduction: Reduce operating costs and run at a fraction of the price of traditional IaaS solutions. › DevOps Friendly: Build your pipelines with Terraform, ARM, or Bicep. 28

29. Demo

30. @erwin_staal 30 https://www.erwinstaal.nl - https://www.github.com/staal-it Thanks! @erwin_staal Erwin Staal 30

    30 @erwin_staal