>> In this session, we're going to be digging into
what's new in Azure Networking. Today, we're going to be covering an overview of the
Microsoft global network. We're going to be talking about product updates related
to Azure networking, as well as our roadmap and information on Azure
networking skilling content. Let's start off with our
global network infrastructure. Microsoft has been in the global network infrastructure
business for 25 years. We initially created our
global network infrastructure to support the production of
Microsoft Windows worldwide. We started with one datacenter
in the United States, and then we expanded to three
additional datacenters, one in Singapore, one in Ireland, one in Puerto Rico. Today, with our global
network infrastructure, we support the update of five billion Microsoft
Windows endpoints worldwide. Later, we added Bing, and with Bing, of course, performance matters a great deal. With Bing we added the notion of network points of presence or pops. The idea behind a pop is to bring the DC in closer proximity
to the end-users. We do that to reduce latency. Then with Xbox, with low
latency gaming requirements, we had to expand our network
pop footprint even further. Then with Skype and now Teams, it's essential that
especially for video content that we reduce jitter and
we reduce drop packets. With that, we've had to invest to
improve our quality of service. Then with Office 365
and specifically with Exchange and the replication
of exchange data assets, we had to expand the
ability of our network in terms of bandwidth to
replicate data globally. Finally, now with the addition
or the introduction of Azure, we enhanced our global
network infrastructure to support five-nines
of availability, and we're currently in the process of onboarding GitHub onto this network. The key message here
is that Microsoft is a leading provider when it comes to global networking infrastructure. We have all of our first-party
services and properties, and our own IT is hosted on
our network infrastructure. Of course, we have thousands of enterprise customers who depend on this network for mission critical, business, and government
applications. Microsoft leads the Cloud industry in terms of geographic
reach for Azure. We're in more regions around the globe than any
of our competitors. In fact, we're in 61 Azure
regions worldwide today, and to connect up all these
regions using undersea cables, as well as cables across continents, we have over 165,000 miles of fiber. Microsoft has the best-performing
Cloud network in the industry. Eighty-five percent of global GDP is covered by Azure Networking
points of presence that are within at least
25 milliseconds of that GDP where business and
government activities happen. Once the traffic comes into our network from the
Internet or from on-prem, that traffic stays on our network. As a result because we're
using our network to move data from any region within Azure to any other
region within Azure, we beat the Internet in terms of inter-region pairs over
99 percent of the time. Of course, security is critical, especially, for data that
is within our network. All data is encrypted from DC-DC. It's encrypted by default. For Cloud computing, zero trust-based networking
security is essential. That's why all DC-DC traffic within our network is
encrypted by default. In addition, for end customers
we give you the ability through special constructs
designed for you to segment your networking assets. We give the ability to segment them with respect to
Azure subscriptions, virtual networks,
network security groups, application security groups, and
through our firewall capability. We have services like
Azure ExpressRoute. They give you the ability
to have dedicated and private connectivity from
your on-prem networks, extending your on-prem
networks into Azure. Then we have a vast team of data scientists and
cybersecurity experts who are working 24/7 to mine information and data from
all of these assets, and they bring them into what
we call the Microsoft threat intelligence feed that we
feed then into products, like the Azure Firewall. When you're using the
Azure Firewall service, you're able to take
advantage of all of these IQ of the human
beings and all of these datasets to enable threat intelligent-based filtering that's
enabled by default by the way. If you're a developer, all of these Azure Networking
based security services are available to you by
default as a service. A great example is Azure
Web Application Firewall. This is a Cloud-native
firewall service that you can use for
web app security. In addition, we have a
number of layer 7 based services that can help you
secure your applications. We have Azure Front Door, we have Azure App Gateway
as just a couple of examples that can help you with
application level load balancing, scaling, and high-availability
for application delivery. Now, I'm going to hand
things off to Narayan. He's going to walk you through some specific updates
related to Azure Networking. >> Thank you, Tad. Today, I'm going to talk to you about the announcements
and the new updates, across the different
networking services. They talk about Azure Networking. We think about all the
different scenarios it enables, so we classify our services
under these different scenarios. Very important for a
customer to start with a secure infrastructure and
then build on top of that, we can obtain on-premises into their Azure networks
and enable remote work. These times, it's
super important that remote workers are
well-connected and of course, no application distribution
and global app delivery and key aspect of
any business applications. Azure Networking has a number of different services that
helps customers adopt. Of course, we'll talk about
emerging technologies, like 5G and it's computing. If you think about
this infrastructure that you can build in Azure, what forms the secure
network infrastructure is your virtual network? Then the Azure Firewalls, DNS services, and network
monitoring and troubleshooting. With Azure Virtual Network
gives you a private, an isolated network that
you bring into Azure. This is where you start, this is a container for
all your resources. Typically, it's something that
holds your different computes, like virtual machines
or Kubernetes service, but of late we've been extending this VNet concept to
Azure PaaS services, the things like storage, SQL DB, and Cosmos. Azure Private Link was launched roughly a year ago with three
services and our storage Cosmos, DB, and SQL, which provided a private way to
connect to these services. Our customer could just
be within the VNet, within the private boundary of the virtual network
and still connect to these PaaS services by creating
a private endpoint in the VNet. By doing this, it protects
that VNet because by default Azure Private Link has protection against
data exfiltration. Only the customers
resources off the services, be it storage or SQL is mapped
into the customer's VNet, not the entire service. That way, the egress connectivity from the VNet stays within the VNet. It never leaves a VNet, this inside the virtual network. On the other side, it protects the Azure PaaS resource because only the VNet is allowed
to talk to this resource. By using Private Link, a customer is able to bring
the Azure PaaS services fully within the VNet boundary and so the policies defined
for that VNet applies. Azure Private Link is also extensible
to customers own services, so this could be used for
an infrastructure service. The customer may use
a different VNet or a shared service that maybe all
the substituents have to share. Now, instead of doing peering or
connecting via public Internet, they can just use
private endpoints to connect between the different VNets, not for the specific
service endpoints. Now, what we have
right now a year later is 36 services supporting
Azure Private Link. This allows the customers to
complete the scenario end-to-end, it's not just for data services. Now, Private Link is extended
to compute services, like AKS and different analytic
services, like Synapse Analytics. All of these together again provide a combined in a powerful end-to-end
scenario that is fully private. Moving on, I want to also talk about the Azure Virtual NAT service. The NAT service provides a fully managed Cloud-native
way to connect to the Internet. This enables you to have your private subnets without
any public IP addresses, connect to the Internet just
by a click of a button. The Azure VNet NAT service, it's scalable and with that it's
fully managed with a platform and there is no need to worry about
SNAT port exhaustion anymore because it can scale
according to the demand. This also provides a way
for having no subnets that may have load balancer as
inbound Internet connection, and you can still use Azure
NAT service for outbound. Any connection coming in through the load balancer will go out
through the load balancer, but any connection
that is originating from the subnets will go
through the NAT service. By using a NAT service and it's very simple to use in a click of a button. Now, all the Internet
connectivity can be behind a single IP address or a prefix
of a public IP addresses. That way it makes the whitelisting very easy for
the people on the other side. This service is already
generally available and available in all
the Azure regions. Moving on with Azure Bastion, we offer popular services for
secure RDP and SSH connectivity. We have couple of new
improvements on this service. One, Bastion can now extend
to on-prem VMs as well. By this, you can just have
a single Bastion service that they can use to remote into any virtual machine
be it in Azure or in on-premises. Also, it now supports peered VNets. What that means is, instead of having a Bastion
service per virtual network, you can just have one
Bastion service and use it across the different
VNets that are even peered. With the on-prem
connectivity also tied in, the Bastion service really becomes your infrastructure
that you can run maybe in a transit VNet
or in another shared VNets, and again, use that a
secure connectivity means for all of the
VMs in your network. These two features are
currently in preview. Pfizer firewall has been
a pretty popular service. Most of the enterprise
customer's adopting it for its threat
intelligence protection, as well as a layer seven
protection and FQDN filtering. We are advancing the capabilities
of Azure Firewall by adding support for SQL traffic filtering. What this means is
when you connect to your SQL databases from your VNets, you can make it past through the
Azure Firewall and you can have data exfiltration protection
now for your virtual networks. We also have an automatic
forced tunneling by which you can chain these Azure Firewalls
with the on-prem firewalls. Customers can just go through
the on-prem firewalls, then the Azure Firewalls
before hitting any other workloads in
Azure or the Internet. We also have support now for FQDN filtering for all
protocols and ports. These features are right
now in public preview. With Azure DDoS, we mitigate
attacks from the Internet. We always try to
mitigate it closest to where the users will attack us from. But if the attack does spread across the different regions or
different points in the globe, we're able to leverage Azure's global backbone network to have the mitigation triggered
from a different region as well. Thereby, we're able to handle a much higher mode
of attack if need be, all the way up to 45
kilobits per second. This is a new ability that we
have enabled in DDoS platform. With network monitoring,
there's a couple of two interesting updates too
that I want to share with you. One is we now have what is called as an Azure Monitor
for networks blade. This is part of the
Azure Monitor itself, but this is turned on by default. When you go to the
Azure Monitor page, you will have a section or you'll a blade just for
the network resources. Any network provisions that you use, be it a load balancer, or a virtual WAN, you will see the corresponding
monitoring for that right there. Instead of you having to go enable
any new service or a product, we give this to you right now by default inside the Azure
Monitor blade itself. A lot of different services
will obviously have these monitoring data points
show up by default over there, and makes it easy for you to have a single place to look
at all of these things. Connection monitor we had in the past and Network Performance Monitor to monitor the Hybrid
connectivity from ExpressRoute, and we had net watcher for different connection
monitoring inside Azure. We're combining all that into a single offering called
as a connection monitor, which will provide you the full connection
monitoring capabilities, as well as troubleshooting if you
have any drops in your network, and the connections
will also show you the latency for how the Network
Performance Monitor used to show. By combining both of Azure
and on-prem together, you get a single experience
for connection monitoring. Again, these two features
are currently in preview, but they will be GA pretty soon
before the end of this year. Now, let's move on to on-premise
and branch connectivity. Like I said, almost
every customer has an on-premises network that is
connected to Azure through, it could be a VPN or it could
be through ExpressRoute, a simplified connection topology
using Azure Virtual WAN. Now, let's look at the updates
on these different services. With Azure ExpressRoute, which is the flagship connectivity
for enterprise customers, we have now added more monitoring
into the Azure Monitor, which I just mentioned. By default, if you go
into the Azure Monitor, you'll see lot mode metrics
for the ExpressRoute circuits and ExpressRoute gateways in the
Azure Monitor blade for networks. Now, we've also expanded the
number of substitutes that Azure ExpressRoute gateway can support from four all the way to 16. This is really done because many of our customers have a lot of
different entry points into Azure, but they may be using only
a few of the Azure regions. Fewer Azure VNets and
fewer Azure VNet gateways. But V1 have ability to connect
the different circuits from different geos into the
Azure VNet gateway. This provides multiple path, as well as higher
resiliency and better reach into the Azure global network. This is currently in preview. With Azure Virtual WAN, we have made a number
of improvements over the last few months, two years. I'm happy to say that the hub-to-hub connectivity
is now fully is GA, and what this enables is if you have two Virtual WAN hubs in
two different regions, and if you connect them, all these folks behind these
hubs can now talk to one another by default with no
other extra configuration. This is generally
available and makes it easier to connect between
the VNets in Azure. Really another interesting feature
is the customized routing. With this, what you
can do is there is a user-defined route table
sort of for every VWAN hub, and now, you can have
some tags across VNets, for example, you can group a
bunch of spokes VNet as blue. They can group a bunch
of spokes VNets as red, and you can have different
routing tables for the blue group and a different
routing table for the red group. Thereby, you're able to
control the routing of clusters of the spoke VNets
that's part of the Event Hub. This gives you a lot more power on who connects to who and gives you greater flexibility of controlling these different connectivity points. The Azure Firewall manager, and along with Azure Firewall in the Event Hub is also
now generally available. The firewall manager can configure the different secure SaaS solutions just from the firewall
manager itself, and that's also generally available. A couple of notable points on the
SD-WAN ecosystem with partners. Number one, we
announced the Barracuda as an NVA in The Hub back in July. Now, Cisco Viptela is also joining the same as
another NVA on the hub. With this, it simplifies
the end-to-end connectivity for customers and also
allows the customers to take advantage of
the full power of the SD-WAN solution that is powered by Cisco Viptela or Barracuda. By making the NVA in The Hub and we invited these two partners
to be part of that, it simplifies the
end-to-end experience for the customer and brings a lot more power to the whole
SD-WAN experience in Azure. Also, not to mention, connectivity
partners on the VWAN side, we've added a couple of new partners
like Aruba and open systems, and they all are connectivity
partners through our VPN gateway solution in the VWAN. This ecosystem continues to expand and we continue
to add new partners. Let's look at the VPN remote
work connectivity section. Over here, our Azure VPN gateway has been a flagship product to
bring in branch offices, as well as remote point-to-site
connections into Azure, and we have a few exciting
updates to share. On, the top off is VPN
gateway can now work with an ExpressRoute private peering to provide encapsulation mechanism. Instead of using any custom provider to encapsulate the data that
is coming via ExpressRoute, you could just use Azure
VPN gateway itself. On top of the ExpressRoute
private peering, you could have VPN gateway to provide end-to-end security by doing encapsulation of the traffic,
IPSec encapsulation. This is going to be really helpful for customers that are
looking for end-to-end encryption, all the way from on-premises
over ExpressRoute. Now, we also simplify the
connectivity options by, example, instead of depending upon a
static public IP address, we are now able to connect
these VPN gateways through an FQDN that the
customer can provide. That just makes the conductivity
the more simplified. We also support the BGP through the APIPA address
for legacy devices. There's been a long-standing ask from customers and
we have that right now. Now, with the whole pandemic, we saw a surge in connectivity of remote workers into Azure virtual
networks and Azure resources, and Azure VPN gateway has seen up to 94 percent increase
in daily connections. Now, to help with management
of these connections, we have added some useful tools
where an administrator can go and connect and disconnect users
sessions based on what he sees and where they connect over
from a management dashboard. Moving on, I want to touch
upon the different updates we have on the secure global
app delivery section. This is an area where we use a different load balancers and our global load balancing
to distribute the content. It includes services like Azure Front Door and Azure
Application Gateway. But let's look at the
updates of these services. With Azure Load Balancer, we're announcing a
public preview of the cross-region load balancing. Now, what this means
is customers can now have a single AnyCast IP address
as their global frontend, which will be advertised
from all the Azure regions. This can sit on top of the
regional load balancers. With this, customers can build a global load balancing solution
with a single IP address. This enables easy or quick failovers. If a region had to go down, Azure Load Balancer
will automatically distribute this traffic differently
and that is actually healthy. This works seamlessly on top of the existing load balancing solution that they use with
regional load balancers. Instead of using a DNS layer on
the top to do global distribution, customers can enable a
global load balancer and point their backend endpoints to the regional load
balancer solution to make this seamless for
a global load balancer. This is currently in preview and
this will go to GA in the future. Now this slide combines our
different services together, the Azure Front Door, the CDN, and the Application Gateway. The way for you to look at
this from left to right is on the top or on the Edge, we have Azure Front
Door or Azure CDN. Azure Front Door does
global load balancing, global layer 7 load balancing. This is the one from Azure POPs, so it's widely distributed, so it gives the end user
the lowest latency. Azure CDN is great
for static content, which serves static content
from a POP location. Now, as customers come
inside using these POPs, on the back end you can always
have an Azure Application Gateway, Azure Layer 7 Load Balancer
which can do both, public load balancing as well
as internal load balancing. Now, some of the updates on
the services is that with Azure WAF that actually works on Azure Front Door as well
as on Azure App Gateway, it has tight integration
with Sentinel right now. The Azure WAF logs could now
be consumed in Sentinel, making it a single place for all of your logging from a security and from Sentinel standpoint
for you to look at, that makes integration
seamless and easy. With WAF, we also have
per URI policies, so for different URIs you could have different WAF policies
that makes it a little bit more customizable for the content and makes it a little
bit more powerful. For CDN, we have the
multi-origin support, so if a region had to go down, we'll do automatic distribution to a different region to continue
to serve the content, so this makes it easier for high
availability in failover cases. With Application Gateway,
we have simplified the whole AKS Ingress
Controller integration. With a single CLI, you could setup both the
Application Gateway as well as the Ingress Controller for
Azure Kubernetes Services, that makes it very easy for customers to compose and build
their services together. With that, I'll hand it back to Tom, to talk about some of the newer emerging technologies
in Azure networking. >> Thank you, Narayan. Let's
wrap up by talking about some emerging technologies
that we're working on within the Azure networking team. First of all, 5G and Edge computing, these are incredible trends, they're going to be highly
relevant to IT moving forward. An important feature area
for us moving forward is something we're
calling Azure Edge Zones. Azure Edge Zones is something
we announced recently, and I'll just give you a
quick overview, an update. Azure Edge Zones, it
brings the Azure API in closer proximity to where things are happening from an
enterprise IT standpoint. The Azure Edge Zones is highly
relevant especially for 5G, and 5G based workloads. The way to think about
Azure Edge Zones is that it's the
point-of-presence concept that we talked about earlier, but it's not just networking, it's also compute, storage,
and Azure services. The way to think about
Azure Edge Zones is that is just another Azure region, but in more proximity to
you and your workloads. It comes in three different forms, there's the Azure Edge
Zones capability which is hosted within a Microsoft
POP, a point-of-presence. There's a mode that Azure Edge Zones runs in
where it's hosted by one of our carrier partners on top of their infrastructure in one of
their datacenter environments. Then we have something called
Azure Private Edge Zones, where you can bring Azure Edge Zones into one of your
datacenter locations. Earlier this year in June, we entered private preview with
one of our carrier partners AT&T. We have an Edge zone now
running in Los Angeles. >> What's going on Jamkazam. [MUSIC] >> Hi, I'm Seth Call, VP of Engineering of Jamkazam. Jamkazam, over the past six years has built the best platform
in the world for musicians to play
live and in-sync over the Internet with high
quality audio and video. We are thrilled to be
developing on Azure Edge Zone with AT&T for our new
audio relay service. Musicians can feel every millisecond of latency when they play online. But if you can take AT&T's 5G
network and compute on the Edge, a company like Jamkazam
can provide a tangible, better and tighter
music session online. >> All right. >> All right. That was so much fun. >> Thank you. >> Private Edge Zones is
currently in preview as well, and we have an ecosystem of
virtual networking functions partners that you can work with
to deploy Private Edge Zones. At the beginning of
the presentation we talked about our global
networking infrastructure, how it's implemented
under the sea, on land, and with our sea and land implementation we have
a terrestrial network. Now with Azure Orbital, we're bringing our Azure
network into space. What we do with Azure Orbital is we partner with providers like those mentioned at
the bottom of the slide, where they're able to co-locate their ground stations
with our datacenters, so satellite uplink and downlink in physical proximity to Azure DCs. By doing so, we're able to combine our partners' satellite networks
with our terrestrial networks, so their satellite data
can take advantage of our terrestrial networks and
so that Azure customers can expand their terrestrial networks or the Azure terrestrial networks into space through Azure Orbital
and these key partners. This slide covers a number of interesting roadmap items that are coming your way in the coming months. End-to end IPv6 support over Azure private peering
from On-prem into Azure. Support for service tags on
user defined route tables. Azure prefix modification
on peered VNets. A VNet route service
with BGP endpoints. These features are
coming your way soon. You can dig more deeply into the
content that we discussed in this presentation by following
the link on this slide. With that, I'm going to wrap up. Thank you very much for
viewing this presentation, and thank you for using our product. [MUSIC]
