Azure virtual WAN and Azure Firewall-building

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so welcome back to another episode of ashes corner events this time we're joined by martin paschen from atea he will talk about how you build and manage networks at global scale with some new cool azure features uh just shortly what we are all about we are uh community of today 830 members plus it's all about learning networking and having fun the ashes corner crew it's me johann magnus and robin and don't be scared it says 13 slides i will go quickly this is just an introduction before we'll get to the gist of it i imagine we have a couple of new joiners that are not locally represented so welcome and uh for you i'm just quickly going to tell you that skone it's the small part of southern sweden we are connected to denmark with a bridge i will show you a picture we have our own flag it's seldomly used and some things scone is famous for we have a an architectural wonder called turning torso pretty useless if you live there i've heard a bridge connecting us to denmark as you can see at the end of the bridge you drive underwater for a couple kilometers pretty cool now in this dire times it's lit up sometimes during the evenings in solidarity we're fighting this thing together zlatan ibrahimovic he's from malmo absolute vodka it's uh it's actually produced in schoner and microsoft azure data center in stefan storp is soon released so that's very fitting for us if you're attending this event please tweet about it uh post on linkedin on facebook instagram all the social media and if you do please use the hashtag usherscorner it's nice for us to see if someone's attending it motivates us as usually microsoft is sponsoring this event and there microsoft has produced something called badger and you can you can collect this i will post links in the chat soon but if you're watching this you can actually uh click on uh soon you can at least use the qr code quickly i will show that you can look at the usher heroes community map and you can see how many badgers of each has been released eventually you will be able to collect these and showcase them at a physical event and get some stuff so this is the qr code that you should scan you might you need to download the engine wallet or if you have another wallet you can use that it's a blockchain one and collect your badger we want to say thank you to phu cafe for hosting us and sponsoring us and microsoft for sponsoring uh the whole setup uh quickly the agenda introductions and welcome that's what i'm doing now uh then we will listen to martin about virtual vaughn and azure firewall building and managing networks at a global scale pretty cool if you have any questions during the live stream please post those in the youtube chat and i will bring them up with martin afterwards and again please use the ashes on hashtag before i leave i just want to say that in december march still being planned i was hoping to have uh planned it a little bit more we're going to do some skill up sessions in a couple locations in a certification preparation format i think and sign up on the meet up you'll get notified when this happens uh i was i just want to say that there's other events happening in the community asher day that community is something that happens on third of december you won one of our ashes corner founders he will have a presentation about ai and parking fine ai supported parking finder app i would also want to mention the festive tech calendar uh it's a it's a pretty fun thing you will get three topics each day about asher in well not just asher but in in tech in general so please check that out and with that i would want to say sign up to our meetup click like on our youtube we will post all of our recordings there and you can also find them on youtube site and with that i'll leave the scene and hand it over to martin so please join us thank you while you hook that up martin can you say a couple of words about yourself you probably have a presentation about it but yeah no just just a short introduction short introduction um yeah that talk and make this the same time uh so yeah martin person um working at atea as a solution architect uh been there for about two years um yeah working uh mainly in the azure space is a hybrid data center yeah so a big area for you yeah it is a lot of scenarios is hybrid so it's both solutions on-prem and in cloud and those yeah those two worlds it needs to to meet and work in the best way i recall in the early days of azure everything the the marketing was everything will be cloud and then hybrid came and said this is how it should be because you can't just leave the on-prem stuff so probably will her hear some of some of that yeah yeah absolutely perfect yeah i'll leave you to it thank you thank you so today i'm going to talk about azure firewall and azure volatile bond but before that i mentioned a bit of me first like i mentioned yeah just gonna fix that technique first so as i mentioned working at the t as a solution architect uh my interest for uh it started uh i guess what was the late 80s with this little gadget device so commodore 64. i can rejoin the meeting yeah i'm taking just a technical uh break just to rejoin the meeting so we can have a recording as well do you have the sharing there yes so we start over then my interest for computer started back in the late 80s with endless little device so computer called commodore 64. i guess some of you have maybe used it so starting with uh yeah gaming and then keep going from there so i've been uh working with rit 20 plus years in various roles most of the part i've been working [Music] in different it departments yeah like a technical expert i.t specialist architect and different manager roles as well but in the past i think three years now i have been working as a consultant and uh came in in contact with azure the first time uh 2013 so a lot has happened in the platform since then and it keeps happening every day and it goes faster and faster and that's that's nice so enough about me um let's get to it so there's your network uh i guess a lot of you have seen this picture before it illustrates the the microsoft global network um it's very huge and it has a lot of capacity so i say it's there so why not use it so to build a bit uh context before entering and looking into the different products and solutions um need to have some background of how trending uh looks like in networking and um yeah how it's traditionally used to look in building a network in azure so looking at the different trends in the networking uh sd1 that's something that's yeah you you hear most of the days uh yeah every day more or less i would say uh so it's very huge uh even if you use like traditional on-prem network is the one that that's a huge topic less demand for uh traditional mpls [Music] usually quite expensive connections that you that you pay for and also a trend is automated configuration of network devices so more or less you want plug and play for your network device in some sense looking at some common scenarios in in the world of asher uh traditionally uh hubble spoke that's i guess quite known um terminology how you build a network where you have your central hub and you have different spoke networks connected to that one and how that looks is uh that you have your uh see here your different virtual networks that you create and in each of these virtual networks you have your subnets and depending on how large you build your v-nets and what solutions you want to deploy in it could be a number of subnets and maybe in one of the subnets you deploy a network virtual appliance called nva in short here and that could be all from maybe the big vendors traditional like csgo checkpoint yeah third-party vendors that have their appliances from azure marketplace and to that you have your network pairings so you connect your v-nets to the hub and to get everything working between like two spokes that you could should be able to talk to one one another you have to have routes in place and next to be able to communicate to your on-prem uh environment you want to set up a side-to-side vpn connection and for that you need a virtual network gateway and you may might also want to have a client vpn so point to site in this gateway as well and in some cases maybe even also an express route so it could be a lot of uh different gateways a lot of v-nets sub-nets you have a lot of p-rings and routing to to take care of so the challenge is with this setup you have a complexity in setting up this nva so the network virtual appliance you want to have it high available and how should that be set up how should it scale how should licensing be taken care of so that could be quite complex scenarios to take care of and you always need to to have the amount and the sizing of your appliances to to have the ability to take the load the top load managing routes that could be a real pain if you have a lot of networks and you have a lot of route tables and routes in them you need to know where are all those route tables connected to which subnets and so on uh it could get quite messy uh quite fast and looking at a global perspective it could be very challenging to to scale on a global and if you have larger environments you can can also run into different limitations for example for a side-to-side vpn you are limited to 30 connections what to do after that so so this is to to build some context before we look into it so if we should look into to the good stuff that i call it i will start off with uh ash of firewall so azure firewall is a managed service it's a cloud native firewall it has a central governance for all different traffic flows that exist or in your environment so you have a central policies across the different v-nets and subscriptions uh your traffic filtering on network and application layer and you have really nice features with built-in high availability and auto scale so we have everything as a service uh so for the auto scaling part and high availability availability uh you have the it's possible to deploy firewalls in different availability zones and for auto scaling you have an automatic when the cpo cpu threshold reaches 60 on the firewall it starts to scale out and that's totally automatically and takes about 5 to 10 minutes in the background so so it's really nice features uh like i mentioned uh you have the all the different traffic flows to protect so you have outbound inbound you have a spoke to spoke you have hybrid setups with vpn connections and point-to-side connections and so on that you also can protect [Music] and manage uh through the firewall regarding logging you have the capabilities like all other azure services to log to the storage account to event hub and to log analytics and you can also integrate it with for example sentinel that's a microsoft cloud native cm solution or if you prefer another solution regarding the rules you have three different kinds we'll start off with the application rules so here we have the possibility to use ip groups that's a a resource that you create and you can add a lot of different eyepiece to that group and that can be used to as a source uh when sending uh and setting the rule and you also can use uh fkd and filtering and fgray and attacks to the destinations and stuff like that and for the network rules you have fully stateful uh network rules uh they have the capability also to use fqdn service tags and ip groups and the last part is you have a net support so you can have a dnet if you have services that you want to expose to internet that's also available a question what would you say is the biggest difference uh in uh feature parity between a firewall and any high-end second generation firewall um for now as it is uh at the moment we will come to that in in the next slide but uh there is a difference regarding uh ip ds and that kind of filtering so you don't you don't have those capabilities in action firewall yet not in ga yet but it still lives up to pretty high standards and it it covers most of your needs yeah i gather yeah most of the scenarios uh it covers uh like you see in the top corner it's uh have a nice certificate so it's a certified cloud native firewall with a lot of features and more coming um would you from your experience do you feel that customers are hesitant to use firewall if they already have a heavy investment in like pal or f5 or something yeah it's like 50 50 i would say some customers or more for it to go cloud native and see the benefit of that some are more uh traditional and want to use the same everywhere and mainly for having the same single pain yeah a lot of overhead governance benefits i i i can see yeah keeping it yeah so it's 50 50. okay yeah thank you i'll let you continue yeah uh looking in the features uh it covers the the layer three to layer seven so all the support layers see in azure or covered by this solution it has built-in threat intelligence so from connected with microsoft's threat intelligent security feed it's connected to to block all the different threats that's available out there and by default everything in azure firewall is blocked so in and out it's no access from from start so that's good also to know um here i can also mention that the start throughput for the firewall is around 2.5 to 3 gigabit per second but if needed the scale scaling can go up to 30 gigabit so quite nice throughput in a firewall as well looking in some features that was announced like two weeks ago it came and it disappeared again so i don't know if someone at microsoft was a bit uh hot to press the button to publish the article or but it will will be coming uh soon so uh that was announced was a public uh preview with the features that i mentioned was missing uh comparing to the third-party vendors so tls inspection is a feature that will come in firewall premium so it will be able to decrypt inspect and then encrypt it again sending the packages uh there is a signature-based [Music] intrusion detection prevention system also that i mentioned to michael and that was missing we have features with web categories so we can allow and block different uh categories in in web so block yeah gaming or drugs and stuff like that those kind of sites and together with that also a url filtering so hopefully it will uh come again as a public preview so it's able to look into it all these features is only available with the firewall manager that we are going to look into soon so it's everything is available from there looking at an example for logging and visualizing uh stuff that happens on the firewall you use log analytics and you can build your own workbooks like all other azure services have that capability so it's here's one example of how a workbook could look like so uh quite nice graphs and you're able to to drill down and look in the raw data and so on to manage your firewalls it could be that you have more than one then there is a resource called firewall manager so that's the the go to tool where you create and deploy so create deploy firewalls and also configure them uh you have the availability to integrate with third-party solutions so like uh zscaler checkpoint and ibus so different security solutions that integrates nicely with azure firewall and also the capability with a centralized route management and uh there is a pricing connected to this one uh if you have a one-to-one scenario there's no additional cost for for the firewall manager but if you're managing several uh firewalls with with policies uh yeah you have a yeah yeah you have to pay for that feature but in the meantime you save time so so i think that uh next is to do a a demo of the firewall part and the firewall manager so those of you have that haven't looked into it before would have a sneak peek so just going to check that michael everything is good with the screen great so i will uh jump in in the firewall manager uh so i have deployed a firewall in a virtual network so i can show the the virtual network so there is a requirement uh for a subnet that's named as your firewall subnet as best exactly as you see in the screen uh that will be dedicated for the firewall resource and it's a slash 26 [Music] subnet size that that you need at at minimum you can have a larger networks but that's the minimum because the the firewall service should be able to to scale so you see here in in this party in red so the firewall subnet name and a slash 26. so looking in the firewall manager i have the firewall deployed here as you can see and if i just look into the firewall it's not exciting at all it's as a resource it does what it should do you don't have spent time to maintain it patch it um upgrade it replace it so very nice service in that sense you have the option to add additional public ips so you can have up to 100 public kps connected to a firewall and that yeah maybe we'll have a scenario but and connected to uh firewall you have a firewall policy and that's where you have the focus on the rules that we will start looking into so you have the three different uh rule sets that i described earlier so you have the dnet rules so that's from internet to something that you want to to publish like in a dmz or something inside your network for example an sftp server or something like that and looking at the rule you don't have to be yeah you don't have to come from the networking segments uh since earlier quite easy to understand the rule sets and how it works so i just made an example here where i uh publish port 22 from internet to an address on the inside and with this dnet rules you don't have to create an additional rule in the network segment to allow this traffic to happen because when the traffic hits this rule it will automatically create the allow rule for that session and yeah take it from there and regarding the network rules you have ip addresses source type or ip groups as i mentioned that you can group a lot of different ips in the same so it would be easier to to maintain and manage you have the source destination and here you have the possibility to use ip addresses service tags the service tags is the different services in in the platform like this example i've chosen chosen a service tag and i've chosen azure monitor so that's also really a nice feature and easier yeah get easier to maintain and you have the option to use fkdn and ip groups as well and for the last part you have the application rules where you have the options to use ip groups you specify what kind of uh protocol it is so https port 443 is allowed in this scenario it could be sql on uh 1433 or yeah some other service that could be used and then you can use fkdn or fkdntx to to specify and do those rules so it's quite uh quite easy and you can focus on on the parts that gives the real value directly so fast and easy to create a resource it's very uh easy to create the rule sets and the different uh scenarios that you want in that aspect some other features is you have the capability to use the firewall as a dns proxy and dns server so you can specify to use the dash of firewall as your dns and then you can have your custom dns or you can use that as a proxy also so that's quite a quite new feature and for the threat intelligence part uh [Music] the part that was connected with the microsoft threat intelligence feed you have the option to turn it off you can choose to alert only or alert and deny and if you have some true false [Music] scenarios or false negative you can add different ips and and allow them to override the intelligence feed so that's something that's built in just switch on save and it's all the information is available in the logs if you want to trace the scenario uh and the part that i hope is coming soon then is the the premium part so we also can look into the more advanced scenarios with uh tls inspection and and that part if i just should look into the firewall itself you can see that it's get a private ip from the subnet so that's the ip that you want to point out when you route your traffic and want to send it to to the firewall so that was the demo part for uh azure firewall so as you can see it's uh it's a it's a really nice service that that you can get the fast improvement from instant and you can focus on [Music] yeah other stuff in your business that gives more value than patching maintaining and [Music] changing your firewalls over time so i think that we should go over and look into azure virtual lavon just before before you switch context so uh you said this is a really nice way of the business to not needing to update to patch their firewalls yeah so what's the what's the the switch here in uh in your responsibility for the firewall setup is it only the configuration and rest is is managed by microsoft yeah so it's a the same scenario as uh the pos services in azure so microsoft manages the patching and updating and that part you manage you have the tools provided for microsoft with the rule sets you maintain and create the rules so yeah you have the responsibility if you configure it wrong and you have a security threat in your network it's basically the configuration and if you if you do you need to scale it up and down can you set those limits you don't set it it's totally uh automatically set so you have the threshold with 60 on the cpu and then it will scale and also with the bandwidth if needed it will scale up to 30 gigabit to handle the scenario uh you said custom dns that's a pretty new feature is it yeah how how do you know how new it is like six months something like that it's old yeah something like that in cloud measures so it's a nice feature to have also okay cool yeah that was my question yeah so looking into the virtual one that's yeah it's been around for a while but this has happened a lot of with it i would say see in summer and onwards it's has happened quite a lot so it's a network service that leverage from microsoft's global network so like the first slide i showed you the big global network that microsoft has available it's a managed service by microsoft and it's automated it's a large-scale branch connectivity and it's uh has optimized routing using microsoft's global network and it's one place for managing your network and different connections that you have and you also have that one it's one place it's easier to optimize security agility within your global network so looking into the different components and what what's in it and how you can use it so you have two different types of viva so you have the basic that's only side to side vpn available and you have the standard there we have express route site site point site you have uh interhub communication you have v-net to v-net so the all scenarios available in the standard feature and looking at the different resources you have like a virtual overlayer and a service that's a global one so a logical virtual representation virtual one it's called in the virtual one you have something that's called a hub so a virtual hub and you can have one hub per region and hub and the resource that you deploy it is automatically deployed in different availability zones so you have a high availability solution in the back [Music] in this managed service and looking in a different connectivity options that you have in this solution you have the site to site as we mentioned with the capability of 20 gigabits of throughput it supports iqv1 and v2 and you have the option up to 1000 connections per hub and then that means that you can have two thousand um yeah what it's called you have a active active so you can have two thousand uh sessions or established but it will be a thousand connections perhaps so it's quite a lot if it defers that to like a single virtual network gateway where you can have 30 side to side connections so it's real really nice looking into the part with the pointer side so the client vpn you have the same in the gate where you have 20 gigabit throughput you have the ikv2 option you have open vpn and for authentication part you have short paste so you have a radius and the coolest one that i think is azure ad authentication so you will be able to leverage the intelligence of conditional access and those parts and having an identity as a real nice layer of security without a feature and that is only supported together with openvpn for express route uh the same here for the gateway 20 gigabit uh and it's supported with eight circuits per hub and nowadays you can use standard circuits a while back it was a premium only but that has changed and also the number has increased to 8. so that's happened quite a lot in in that sense and for v-net so hub to v-net connection you have throughput on 50 gigabit and that's also yeah should be enough looking at the pricing part you have no upfront costs no termination fees and like everything else in azure pay for what you use so it could be some scenarios when you work traditionally with connections and all over the world you you might have some termination fees and stuff like that if you end it earlier that your agreement and so on but all that part is totally skipped here so so that's also nice i don't know if it's small to read but you have the pricing here in hours for the different scenarios basic isn't mentioned because that's no fees for for that hub but otherwise it's standard and the different features and gateways that are deployed that you pay for and here is also the pricing for the azure firewall in the bottom [Music] and if you want to look into more scenarios for pricing azure calculator it's it's a good good tool to use to version one solution uh there's a lot of partners that integrates with their solutions because there are open apis to use so the different patterns can build solutions and interact with virtual one in a good way so they have more or less pre-configured devices that you connect that are pre pre-configured against virtualbone and have optimized scenarios for traffic flows and so on and there is also [Music] right now two players that you could deploy virtual appliances directly in the hub and that's from uh barracuda and cisco viptela that's the two solutions so it's estevan solutions both of them so if you prefer to use your yeah third-party and vendor solutions in the hub it's those two that support it in the hub but the other could be used if you connect the v-net to the hub if we look at the architecture i think this is the picture that michael sent in the invitation also you have the virtual van and the hub in the middle and you have the option to connect all these different sites and [Music] to the hub so you have your different branches so you connect those with site to site you have your remote users that you use to point the site the client vpn and maybe to your headquarter or data center you might have an express route and in azure you can connect all your different v-nets from different subscriptions and so on so that's um appearing that [Music] does occur against the v-net and and the hub there's a scenario that also you can have hub to hub if you have one hub in western europe you have one hub in east u.s those can talk to one another and you can control in this scenario it's hub to hub only so they can talk to one another but the v-net could only talk to the hub in its own region looking at uh another uh architecture is the any to any scenario and that's what boston really is is built for and should be used for uh is that everything could talk to anything so between regions branches over regions they can talk to one another and that's a really nice feature and uh you leverage really from the global network that microsoft has available looking at an example and also how the traffic flows the pattern is that you go from a branch device to your isp and then you hit the edge you have to maybe have heard of pop or pointer present or edge sites that microsoft have so it's available like yeah i guess it's 150 or so in the world that you connect to and then you have the optimal way and route to the nearest or to your data center where the service is located so you have a fast entry to the microsoft global network and a fast throughput to to resource and then back again so really leverage uh from that structure so uh yeah it's easy to scale as you see it's easy to deploy all over the world and build this global architecture and there is a reason why i started off with azure firewall so if we should put the pieces together so we have the virtual van and we have the firewall and together that's called a secured virtual hub so that's a terminology that microsoft use for this scenario and what that means is that this architecture shows is that you can have the capability to deploy an azure firewall in your hub and you can control the flow of the traffic through the firewall maintain the routing the rules you have the availability to talk any to any but should it be allowed what you could yeah what should be able to talk to one another and so on so that's that's a really nice feature to have everything integrated in one place and in in the hub so i will show a demo also of virtual one and how it looks and how it could be used the other screen correct yep so looking in the overview in uh virtual one this is the first page that you come into in that service you have a really nice overview you see the blue spot in the middle in amsterdam because i've deployed in western europe you have a good overview where do i have my different hubs in the world you have a list of the status of the different hubs you have a overview of the resources that are deployed and so on so looking at the configuration part you have the option [Music] here in the virtual van type you have the option to deploy basic or standard i've gone from standard to show you all the different options you have the possibility to upgrade from basic to standard if needed and then you have the scenario with the connectivity so hubs hub is uh enabled it's possible to talk global so between regions and branch to branch it's enabled so that's the scenario with any to any connection looking at i'll start off with virtual network connections that's where you configure which virtual networks or spoke networks should be connected to the hub so in a traditional hub-and-spoke scenario this is your new hub so all the different v-nets that you want connected will be presented here hopefully anytime soon eventually while it's loading so what was the challenges uh setting up big networks before you had this spawn hub the part is the routing in between the networks so all the different route tables that you have and you have to connect it to different subnets and control the traffic flows and that could if you have a large environment and a global environment that could quite fast get really tricky and yeah get the hold of all the things so you you had to be creative to get that working before this hub maybe not creative but it's a lot of uh documentation and scenarios to to look into and a lot of places where things can go wrong if you configure it wrong and now it's easier now it's easier in place yeah exactly yes okay so so looking in the different uh virtual networks i've connected three different uh in this scenario so it's very easy to to just add a connection you choose your network and and then you're done and then you have the available option to connect this to different route tables that we will look into sooner also i haven't deployed express route in this scenario could be tricky to have in a demo but uh but i have defined a vpn site where i have a side-to-side vpn connection established so the possibilities to have thousands of those as i mentioned and you have a nice overview from here and you can download your configuration you see what to configure and in the other end on premise to to the so that is that should work and also have a user vpn configuration configured with azure id authentication so openvpn part and then in that case they you specify an address pool for your vpn clients to use so that's differs from the hub itself so looking into to the hub as i mentioned one hub per region and here you have the capability to create the different gateways for the different scenarios that you might have so you don't have to start with everything at once you yeah maybe you just want to have a side to side at start but then you want to move also your point to site and you can scale from there and just deploy the different gateways so in this demo environment i've set up a gateway like say here's the green it's provisioned and one gateway for user vpn and if i had express route i would just go and create one one of those and the cool thing here is that you also could deploy the azure firewall service directly in the hub so you have everything in one place and for partner options you have the option to deploy barracuda or cisco esteban with viptela and that's a quite new feature since late summer and looking at one of the big benefits of using voucher one is the routing part so you have we'll show here you have two route tables that created out of the box it's the default one and it's the none and you have the option to create custom route tables if you want to control different flows in your own way you might have a security appliance in in a attached v-net and you want to send traffic to that one then you create a custom route table and specify the scenario you can look into to the custom route table in this scenario i have specified to use an meraki appliance with which connection it should go over and what ip should be the next hop for reaching that specified network so that's a total custom scenario but fully supported and then you associate that route table to a virtual network uh to to yeah for that traffic they want to send through that appliance but for most of the part if you use like standard setup azure firewall and virtual one you should be good to go with with the default setup and that's the scenario when when you connect virtual network to the hub it automatically build the routing based on that and so on and even when you connect your vpn sites and those parts so looking into firewall manager maintaining and managing this firewall that's in the hub it's the concept with a secure virtual hub like before you have the capability to add additional public ip and you have the option to connect with partners so like a set scaler and those that i showed before and the really nice feature is this one i think where you have the option to control your your flow of your traffic from one one point uh one place in in your environment so for internet traffic i have specified i that i want to send internet traffic through azure firewall and i've also specified that send private traffic through azure firewall and as you see down below here i have all the different connections that i have both v-nets i have um point sites and site site so no matter what type of connection it is it could be controlled and send the traffic through azure firewall and there you set you have your rule set to what you should be uh should be allowed to do and that could be uh individual control also for each connection in that sense but i think this this feature where you control and maintain and automatically build your route table based on these settings is yeah you get a really value and an easiness in the maintenance part uh over time i think and for the other part uh it's the same as i mentioned with a firewall policies that's connected so i have a firewall policy that's connected to this firewall with those kind of rules and that doesn't differ so so the really nice features as i mentioned is the part where everything is controlled when the flow of the traffic from one place there are some nice features also some insights that you show your topology so you get a nice overview of your environment and all the different resources and connections that you have established and from that you can build your own workbooks and collect your logs metrics and so on to visualize it in different dashboards so looking at the real world scenario how it could look like uh is a scenario with a global environment with three different hubs so one in east u.s one in west europe and one in south east asia [Music] so in each hub there is a gateway deployed for side to side communication one firewall deployed for the communication within the region and the different networks that's needed are connected to the environment um and if you have a scenario uh where you bring up a new business in for example uh yeah what to say africa or something you can deploy a new hub and [Music] like 10 minutes later up and running in in africa so you can really extend your network leveraging from from the global network that microsoft have and that's a lot of capacity in it so when to use azure bot von and secure virtual hub you would like to enable some new capabilities uh you might find it hard to to scale globally as you mentioned you want to simplify your management so routing is a big part also the different gateways that you connect and create you have everything in one place you have all the logging in one place etc you want to build a global distributed network you want to save money you can change from having mpls connections to have local internet breakout and maybe pay less and use microsoft's backbone to to optimize the flow you have multiple branch offices that you want to connect maybe more than 30. and you might have remote workers located all over the place so all over the world you have users that want to connect they can leverage from [Music] using the client vpn to connect and from that they are connected to the region that is closest to them so they have an optimal performance as well so they leverage the traffic manager in the background to optimize the traffic flow um and that's there is a nice azure vpn client that could be used for these scenarios also together with uh azure id authentication so that's a nice feature as well so that was my last slide so i want to thank michael for inviting me and the azure scone user group and if you have any questions if i uh look at the questions there are none but there is one that says he's doing a poc eventually uh do you have any tips where to start how to start what you should avoid doing how are we doing i think a nice start is to there is a lot of good documentation in microsoft's sites reader through understand architecture and the different scenarios and then from that build a small demo environment like the one i presented here you can connect a simple vpn side-to-side connection from another cloud or from on-prem and try to to do different routing scenarios [Music] and go from there and uh would you you would of course say that you should do it in the portal but do you do any with infrastructures code and arm templating and yeah you could leverage uh infrastructure's code there is four simple deployments there is uh in a quick quick start gallery gallery yeah you could use that yeah there is something to start from but the service itself is more api and like rest based and portal that that's what microsoft says but there is options to use infrastructure code as well okay nice well i don't have any other questions is there anything else that you wanna you think you must mention i don't think so so but if you have the option uh try it out because uh i think it's happened a lot the last six months in the service it has really nice cool features that you can benefit a lot from on that note he said it had a lot of new features has come in the last six months yep so if you started early and is there anything that you have to to redo or a service outage that you never happened or anything like that not no not in that sense but you they have changed a bit in a routing table so you had it was the other way around before yes so you have to so there's still some management around it but you don't have to do the patching of the firewalls or the hub services etc exactly so you have to configure and of course to maintain your routes but it's in one place and we have control of everything in one place that's a big benefit instead of going all over the place to to manage of course by using infrastructure code you have a benefit yeah but that could be also yeah like a cliff if you come from traditional on-prem network to go to infrastructure code that could be quite interesting when you mention that so if you've been in the in the azure space a while you you would be tasked with doing networking even if you didn't have the networking background and now i've i've faced that in in several scenarios where the networking group they don't do anything with cloud but then you come with with cloud and you want to connect it to your existing network there was a clash there yeah do you experience that today yeah i do in some cases uh so this uh i myself is not a network guy it doesn't it doesn't show no but that's the case so yeah i think it's uh fun and there are some nice features but there is uh yeah a miscommunication between traditional on-prem that maybe talk a certain language so they suppose that you know maybe uh when talking about networking yeah but you if you don't are a networking guy from the beginning or girl uh yeah you have to have find a balance and maybe elaborate a bit more what you actually mean and what you want to achieve and then take it from there yeah yeah it's an interesting world yeah okay well thank you for your presentation i'll we'll just shift there and i'll end the session thank you and for all the people online i'll just gonna end it with some reminders of course the badges please claim them join the meetup site join the meetup site and please subscribe to the youtube maybe this recording will not be the best one we'll see and uh in uh keep an eye out in december maybe early january we'll have some skill up sessions uh the structure around it set so we will push that out to the meetup and uh i would wanna say the asher community day and the festive tech calendars those are good things that you can keep yourself occupied with and with that i would want to say thank you for this time and watch this space we'll be back thank you you

Info

Channel: FooCafe

Views: 1,230

Rating: undefined out of 5

Keywords: Learning, Sharing, Software Development, Agile

Id: TYhcCXec21c

Channel Id: undefined

Length: 81min 45sec (4905 seconds)

Published: Tue Dec 01 2020