Professional Documents
Culture Documents
MSFT Cloud Architecture Networking
MSFT Cloud Architecture Networking
MSFT Cloud Architecture Networking
Enterprise Architects
This topic is 1 of 6 in a series 1 2 3 4 5 6
Cloud migration changes the volume and nature of traffic flows within and outside a corporate
network. It also affects approaches to mitigating security risk.
Microsoft SaaS services include Office 365, In addition to the investments for Microsoft In addition to the investments for Microsoft
Microsoft Intune, and Microsoft Dynamics 365. SaaS services, multi-site or geographically SaaS and PaaS services, running IT workloads
Successful adoption of SaaS services by users distributed PaaS applications might require in IaaS requires the design and configuration
depends on highly-available and performant architecting Azure Application Gateway or of Azure virtual networks that host virtual
connectivity to the Internet, or directly to Azure Traffic Manager to distribute client machines, secure connectivity to applications
Microsoft cloud services. traffic. Ongoing investments include running on them, routing, IP addressing,
performance and traffic distribution DNS, and load balancing. Ongoing
Network architecture focuses on reliable,
monitoring and failover testing. investments include performance and
redundant connectivity and ample bandwidth.
security monitoring and troubleshooting.
Ongoing investments include performance
monitoring and tuning.
Over the years, many organizations have Although you can utilize your current
optimized intranet connectivity and Internet connection from your edge Architect reliable, redundant Internet
performance to applications running in network, traffic to and from Microsoft connectivity with ample bandwidth
on-premises datacenters. With cloud services must share the pipe with Monitor and tune Internet throughput for
productivity and IT workloads running in other intranet traffic going to the Internet. performance
the Microsoft cloud, additional investment Additionally, your traffic to Microsoft
Troubleshoot Internet connectivity and
must ensure high connectivity availability cloud services is subject to Internet traffic
throughput issues
and that traffic performance between congestion.
your edge network and your intranet Design Azure Traffic Manager to load balance
For a high SLA and the best performance,
users is optimal. traffic to different endpoints
use ExpressRoute, a dedicated WAN
connection between your network and Architect reliable, redundant, and performant
Azure, Office 365, Dynamics 365, or all connectivity to Azure virtual networks
Optimize throughput at three. Design secure connectivity to Azure virtual
your edge network ExpressRoute can leverage your existing machines
As more of your day-to-day productivity network provider for a dedicated Design and implement routing between on-
traffic travels to the cloud, you should connection. Resources connected by premises locations and virtual networks
closely examine the set of systems at your ExpressRoute appear as if they are on your
WAN, even for geographically-distributed Architect and implement load balancing for
edge network to ensure that they are internal and Internet-facing IT workloads
current, provide high availability, and have organizations.
sufficient capacity to meet peak loads. ExpressRoute for Office 365 Troubleshoot virtual machine connectivity and
throughput issues
ExpressRoute for Azure
June 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud What IT architects need to know about
networking in Microsoft cloud services
Networking for and platforms
Enterprise Architects
This topic is 2 of 6 in a series 1 2 3 4 5 6
1 Analyze your 2 Analyze your 3 Analyze the 1 Analyze the latency between 2 Analyze the capacity and
client computers on-premises capacity and your Internet edge device utilization of your current
and optimize for network for performance of (such as your external Internet connection and add
network hardware, traffic latency your Internet firewall) and the regional capacity if needed.
software drivers, and optimal edge device locations of the Microsoft Alternately, add an
protocol settings, routing to the and optimize cloud service to which you ExpressRoute connection.
and Internet Internet edge for higher levels are connecting.
browsers. device. of traffic.
On-premises
Internet Internal firewall: Barrier between your trusted network
network and an untrusted one. Performs traffic filtering (based
on rules) and monitoring.
ExpressRoute
Office 365
External workload: Web sites or other workloads made
Users available to external users on the Internet
Microsoft Intune
Microsoft Azure
Internet Proxy server: Services requests for web content on
pipe behalf of intranet users. A reverse proxy allows
unsolicited inbound requests.
Dynamics 365
June 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud What IT architects need to know about
networking in Microsoft cloud services
Networking for and platforms
Enterprise Architects
This topic is 3 of 6 in a series 1 2 3 4 5 6
Microsoft Azure Dynamics 365 Users on the Internet, such as roaming or remote
users, send their traffic to the Microsoft cloud
over the Internet.
With ExpressRoute
With an ExpressRoute connection, you now have
On-premises control, through a relationship with your service
Internet Microsoft cloud
network provider, over the entire traffic path from your
edge to the Microsoft cloud edge. This
connection can offer predictable performance
and a 99.9% uptime SLA.
Users
Microsoft Intune
I You can now count on predictable throughput
S and latency, based on your service provider's
P connection, to Office 365, Azure, and Dynamics
E E 365 services. ExpressRoute connections to
d d Microsoft Intune are not supported at this time.
Users
g g
e e
Traffic sent over the ExpressRoute connection is
Office 365 Microsoft Azure no longer subject to Internet outages, traffic
congestion, and monitoring.
See these additional resources for more information: ExpressRoute for Office 365 ExpressRoute for Azure
An ExpressRoute connection is not a guarantee of higher performance in every configuration. It is For the latest recommendations for using
possible to have lower performance over a low-bandwidth ExpressRoute connection than a high- ExpressRoute with Office 365, see ExpressRoute for
bandwidth Internet connection that is only a few hops away from a regional Microsoft datacenter. Office 365.
Microsoft peering
Microsoft SaaS
• Is from a router in your DMZ to the public
addresses of Office 365 and Dynamics 365
services.
Microsoft peering
• Supports bidirectional-initiated
Office 365 Dynamics 365 communication.
On-premises
Azure PaaS Public peering
network
• Is from a router in your DMZ to the public
Application types: IP addresses of Azure services.
ExpressRoute Public peering
• Compute • Analytics • Supports unidirectional-initiated
• Web and mobile • IoT communication from on-premises systems
Users only. The peering relationship does not
• Data • Media and CDN
• Hybrid integration support communication initiated from
Azure PaaS services.
Virtual network
Traffic flow
• Your locations. With ExpressRoute Premium, you can reach any Microsoft datacenter on
• Microsoft cloud peering locations (the physical locations to connect to the any continent from any Microsoft peering location on any continent. The
Microsoft edge). traffic between continents is carried over the Microsoft cloud network.
• Microsoft datacenter locations.
With multiple ExpressRoute Premium connections, you can have:
Microsoft datacenter and cloud peering locations are all connected to the
Microsoft cloud network. • Better performance to continentally local Microsoft datacenters.
• Higher availability to the global Microsoft cloud when a local
When you create an ExpressRoute connection to a Microsoft cloud peering ExpressRoute connection becomes unavailable.
location, you are connected to the Microsoft cloud network and all the
Microsoft datacenter locations in the same continent. The traffic between ExpressRoute Premium is required for Office 365-based ExpressRoute
the cloud peering location and the destination Microsoft datacenter is connections. However, there is no additional cost for enterprises with 500
carried over the Microsoft cloud network. or more licensed users.
This can result in non-optimal delivery to local Microsoft datacenters for the
any-to-any connectivity model. Example of ExpressRoute Premium connections for a
global enterprise using Office 365
In this example, traffic Location 1 Location 2
from the east coast
branch office has to go
WAN
across the country to a
west coast Microsoft Peering
cloud peering location location
and then back across to Microsoft cloud
network Microsoft cloud
the East US Azure Datacenter network
datacenter. Microsoft cloud
network Microsoft cloud
network
For intercontinental traffic over the Microsoft cloud network, you must use
Network planning and performance tuning for Office 365
ExpressRoute Premium connections.
ExpressRoute options
Security at your edge Internet traffic for VMs WAN optimizers Quality of service
To provide advanced security for the To prevent Azure VMs from initiating You can deploy WAN optimizers on both Use Differentiated Services Code Point
traffic sent and received over the traffic directly with Internet locations, sides of a private peering connection for a (DSCP) values in the IPv4 header of your
ExpressRoute connection, such as traffic advertise the default route to Microsoft. cross-premises Azure virtual network traffic to mark it for voice, video/
inspection or intrusion/malware Traffic to the Internet is routed across (VNet). Inside the Azure VNet, use a WAN interactive, or best-effort delivery. This is
detection, place your security appliances the ExpressRoute connection and optimizer network appliance from the especially important for the Microsoft
in the traffic path within your DMZ or at through your on-premises proxy Azure marketplace and user-defined peering relationship and Skype for
the border of your intranet. servers. Traffic from Azure VMs to Azure routing to route the traffic through the Business Online traffic.
PaaS services or Office 365 is routed appliance.
back across the ExpressRoute
connection.
ExpressRoute for Office 365 ExpressRoute for Office 365 Training ExpressRoute for Azure
More
information http://aka.ms/expressrouteoffice365 https://channel9.msdn.com/series/aer/ https://azure.microsoft.com/services/
expressroute/
June 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud What IT architects need to know about
networking in Microsoft cloud services
Networking for and platforms
Enterprise Architects
This topic is 4 of 6 in a series 1 2 3 4 5 6
1 Go through the Steps to 2 Optimize your Internet 3 Optimize your Internet 4 Optimize the performance of 5 As needed, optimize the
prepare your network for egress for Microsoft SaaS throughput using the your client computers and performance of data
Microsoft cloud services services using the proxy proximity and location the intranet on which they migrations and
in topic 2 of this model. server recommendations. recommendations. are located using the client synchronization using the IT
usage considerations. operations considerations.
IT operations considerations
One-time migrations Ongoing synchronizations
Such as bulk data transfer for cloud-based applications or archival storage. Such as directory information, settings, or files.
• Avoid peak network usage and computer patching times • Ensure that a network bandwidth monitoring system is in place, resolve or
• Should be baselined and piloted, assess network health and resolve issues dismiss collected errors
before attempting actual migration • Use bandwidth monitoring results to determine need for network changes
• Perform post-mortem for future migrations (scale-up/out, new circuits, or adding devices)
Network planning and Office 365 Performance Management ExpressRoute for Office 365
More performance tuning for Office 365 Microsoft Virtual Academy course
http://aka.ms/expressrouteoffice365
information http://aka.ms/tune http://aka.ms/o365perf
June 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud What IT architects need to know about
networking in Microsoft cloud services
Networking for and platforms
Enterprise Architects
This topic is 5 of 6 in a series 1 2 3 4 5 6
1 Go through the Steps to 2 Optimize your Internet 3 Determine whether you 4 For web-based workloads, 5 For distribution of traffic
prepare your network bandwidth using steps need an ExpressRoute determine whether you to different endpoints in
for Microsoft cloud – of the Steps to connection to Azure. need the Azure different data centers,
services in topic 2 of this prepare your network for Application Gateway. determine whether you
model. Microsoft SaaS services need Azure Traffic
in topic 4 of this model. Manager.
Application Gateway
Virtual machine
Failover The endpoints are in the same or different Azure datacenters Web app West Europe
2
and you want to use a primary endpoint for all traffic, but provide
Users
backups in case the primary or the backup endpoints are unavailable.
Web app East Asia
Round robin You want to distribute load across a set of endpoints in
the same datacenter or across different datacenters.
1. A user DNS query for a web site URL gets directed to Azure Traffic
Performance You have endpoints in different geographic locations and Manager, which returns the name of a regional web app, based on the
you want requesting clients to use the "closest" endpoint in terms of the performance routing method.
lowest latency.
2. User initiates traffic with the regional web app. Traffic Manager
June 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud What IT architects need to know about
networking in Microsoft cloud services
Networking for and platforms
Enterprise Architects
This topic is 6 of 6 in a series 1 2 3 4 5 6
Prepare your Optimize your Determine the Determine the Determine the Determine the
1 2 3 4 5 6
intranet for Internet type of VNet address space of subnets within DNS server
Microsoft cloud bandwidth. (cloud-only or the VNet. the VNet and the configuration and
services. cross-premises). address spaces the addresses of
assigned to each. the DNS servers to
assign to VMs in
the VNet.
Determine the Determine the Add routes to For Determine the Configure on- Determine the
1 2 3 4 5 6 premises DNS 7 use of forced
on-premises on-premises make the ExpressRoute, Local Network
connection to VPN device or address space plan for the address space servers for DNS tunneling and
the VNet (S2S router. of the VNet new for the Azure replication with user-defined
VPN or reachable. connection gateway. DNS servers routes.
ExpressRoute). with your hosted in
provider. Azure.
S2S VPN
Continued on next page See the additional Planning steps for a cross-premises Azure VNet in this topic.
Step 4: Determine the address space of the VNet.
Addressing for virtual networks Addressing for virtual machines
Step 5: Determine the subnets within the VNet and the address spaces assigned to each.
With this method, the address space for the 10.119. bbbbbbbb . bbbbbbbb
gateway subnet is always at the farthest end of 2. Set the bits in the variable portion of the
the VNet address space. VNet address space: 0 for the gateway
10.119. VVVVVVVV . VVVVGGGG
subnet bits (G), otherwise 1 (V).
10.119. 11111111 . 11110000
Address space calculator for Azure gateway subnets
3. Convert result from step 2 to decimal and
10.119.255.240/28
express as an address space.
Azure uses the first 3 addresses on each subnet. Therefore, the number of 4-11 4 /28
possible addresses on an Azure subnet is 2 n – where n is the number of
host bits. 12-27 5 /27
60-123 7 /25
Step 6: Determine the DNS server configuration and the addresses of the DNS servers to assign to
VMs in the VNet.
Azure assigns virtual machines the addresses of DNS servers by DHCP. DNS
Type of VNet DNS server
servers can be:
• Supplied by Azure: Provides local name registration and local and Internet Azure-supplied for local and Internet name
name resolution resolution
• Provided by you: Provides local or intranet name registration and either Cloud only
intranet or Internet name resolution Azure virtual machine for local and Internet name
resolution (DNS forwarding)
Name Resolution for VMs and Role Instances
On-premises for local and intranet name
resolution
Cross-premises
Azure virtual machine for local and intranet name
resolution (DNS replication and forwarding)
User-defined
S2S VPN route
User Defined Routes and IP Forwarding
Virtual Virtual
VPN device Gateway appliance machines
ExpressRoute
Step 9: Determine how computers from the Internet will connect to virtual machines.
Includes access from your organization network through your proxy server or other edge device.
Virtual network
Methods for filtering or inspecting unsolicited incoming traffic
Step 10: For multiple VNets, determine the VNet-to-VNet connection topology.
Azure VNets can be connected to each other using topologies similar to those used for connecting VNet peering
the sites of an organization using VNet peering or VNet-to-VNet (V2V) connections.
Daisy chain
Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network
Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network Virtual Network
Step 1: Determine the cross-premises connection to the VNet (S2S VPN or ExpressRoute).
Site-to-Site (S2S) VPN Connect – sites (including other VNets) to a single Azure VNet.
ExpressRoute A private, secure link to Azure via an Internet Exchange Provider (IXP) or a Network Service Provider (NSP).
Networking Limits VPN devices for site-to-site VPN gateway connections VNet peering
Step 3: Add routes to your intranet to make the address space of the VNet reachable.
Step 4: For ExpressRoute, plan for the new connection with your provider.
Step 5: Determine the Local Network address space for the Azure gateway.
Step Prefixes
Because the Azure gateway does not allow
summarized routes for S2S VPN connections, you
1. List the prefixes that are not the root space
must define the Local Network address space for 172.16.0.0/12 and 192.168.0.0/16
for the virtual network address space.
option 2 so that it does not include the virtual
network address space.
2. List the non-overlapping prefixes for variable
octets up to but not including the last used
10.254.0.0/16, 10.255.0.0/16
octet in the virtual network address space.
(255 prefixes, skipping 10.100.0.0/16)
Step 6: Configure on-premises DNS servers for replication with DNS servers hosted in Azure.
On-premises
network
WEB1 APP1 SQL1 DC1
TCP 443
MN1
AD
WEB2 APP2 SQL2 DC2
Site-to-site
VPN device Gateway
VPN or
Subnet Subnet Subnet Subnet
ExpressRoute
SharePoint Server 2016 in Microsoft Azure Intranet SharePoint Server 2016 in Azure dev/test environment Hybrid cloud scenarios for Azure IaaS
Services and
Platform Options Security Identity Hybrid
cloud IT resources
Storage Mobility Contoso in the Microsoft Cloud
June 2017 © 2016 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.