Last Update: Sep 04, 2024 | Published: Oct 09, 2017
This post will describe the many networking announcements that were made at Microsoft Ignite 2017.
Microsoft likes to tell us how cloud-scale its Azure regions are whether it’s trillions of objects or millions of petabytes. A couple of statistics were shared about the networking in Azure:
I guess they should be able to get 4K streams from Netflix on that!
Last year, Microsoft announced VNet Peering; a way to very easily connect virtual machines in different virtual networks. This solution didn’t require gateways and allowed virtual machines to communicate at NIC speeds rather than at lower gateway speeds. A big restriction was that VNet peering only worked inside of a region and VNet-to-VNet VPN was required for inter-region VNet integration.
This year, Microsoft announced that inter-region VNet peering is being added as a design option, thus greatly simplifying communications between virtual machines in different regions. This feature is currently in preview in limited regions.
A new security service is being added to protect virtual networks from DDoS attacks from the Internet, supplementing the basic service that is already there. Over 60 types of attack are protected against with layer-7 (application) protection coming from the Application Gateway Web Application Firewall. AI is being used to provide adaptive tuning and the protection will integrate with Azure Monitor and alerting.
The VNet allows Azure customers to tightly control network security. Some PaaS services have not been able to join a VNet and were “open” on the Internet. In reality, they have some protections but not necessarily the classic protections we usually want.
Today, it is possible to make some services accessible only from a VNet; the current services are Azure SQL and Storage Accounts – in preview in selected regions. More will be added in the future.
NSGs provide layer 4 (transport layer) security for subnets and/or virtual NICs in a virtual network. There have been some difficulties with NSGs.
The first is that all Azure services were grouped into a Location/tag called Internet. If one blocked all outbound traffic to Internet, then virtual machines would fail to start up. Tthey couldn’t reach Azure for various requirements. This lead to a very messy scheduled scripted solution. New tags will be provided to support Azure services, making it easier to block Internet but allow access to Azure services.
In larger deployments, one might want to deploy NSGs to a group of machines in a micro-segmented subnet. That will be possible with Application Security Groups.
Increased customer consumption and the arrival of availability zones meant that we needed a new layer-4 load balancer in Azure. So we got one:
Accelerated Networking enables extremely fast virtual machine networking with the maximum speed now reaching 30Gbps. Support has been expanded to include virtual machines with 4 vCPUs.
I’ll be honest, this flew right over my head. According to Intel, DPDK:
… greatly boosts packet processing performance and throughput, allowing more time for data plane applications.
The work that Azure is doing is aimed at NVAs, such as virtual firewalls. This is probably to reduce the amount of time that the CPU spends processing packets and to give customers more bang for their buck. Microsoft partners that produce NVAs can apply to join the preview.
The WAN solution for connection to Azure is getting some new features:
I have got a customer that will be happy with this news:
Some improvement that will be in preview:
Not many know that Azure has a DNS hosting service that is really easy to use. It offers great performance by being replicated to every Azure region. Up to now, you could only host public domains in Azure DNS.
Azure DNS is adding (soon) support for private DNS domains. You can bring your private company zones to Azure, co-host public and private zones with the same domain names, and eliminate the need to deploy DNS servers.
You can use Traffic Manager to scale out deployments across regions, non-Azure endpoints, and for failover between Azure and non-Azure endpoints. Some new monitoring capabilities are being added to improve end-user performance and to assist with your understanding of traffic flow and patterns.