Azure Networking Announcements from Ignite

Paul Thurrott's Short Takes: September 29
This post will describe the many networking announcements that were made at Microsoft Ignite 2017.


Some Statistics

Microsoft likes to tell us how cloud-scale its Azure regions are whether it’s trillions of objects or millions of petabytes. A couple of statistics were shared about the networking in Azure:

  • Up to 1.6 Pb/s of intra-regional capacity
  • Nearly 2 million miles of fiber in the data centers

I guess they should be able to get 4K streams from Netflix on that!

Global VNet Peering

Last year, Microsoft announced VNet Peering; a way to very easily connect virtual machines in different virtual networks. This solution didn’t require gateways and allowed virtual machines to communicate at NIC speeds rather than at lower gateway speeds. A big restriction was that VNet peering only worked inside of a region and VNet-to-VNet VPN was required for inter-region VNet integration.
This year, Microsoft announced that inter-region VNet peering is being added as a design option, thus greatly simplifying communications between virtual machines in different regions. This feature is currently in preview in limited regions.

Azure DDoS Protection Service

A new security service is being added to protect virtual networks from DDoS attacks from the Internet, supplementing the basic service that is already there. Over 60 types of attack are protected against with layer-7 (application) protection coming from the Application Gateway Web Application Firewall. AI is being used to provide adaptive tuning and the protection will integrate with Azure Monitor and alerting.

VNet Service Endpoints

The VNet allows Azure customers to tightly control network security. Some PaaS services have not been able to join a VNet and were “open” on the Internet. In reality, they have some protections but not necessarily the classic protections we usually want.
Today, it is possible to make some services accessible only from a VNet; the current services are Azure SQL and Storage Accounts – in preview in selected regions. More will be added in the future.

Network Security Groups (NSGs)

NSGs provide layer 4 (transport layer) security for subnets and/or virtual NICs in a virtual network. There have been some difficulties with NSGs.
The first is that all Azure services were grouped into a Location/tag called Internet. If one blocked all outbound traffic to Internet, then virtual machines would fail to start up. Tthey couldn’t reach Azure for various requirements. This lead to a very messy scheduled scripted solution. New tags will be provided to support Azure services, making it easier to block Internet but allow access to Azure services.
In larger deployments, one might want to deploy NSGs to a group of machines in a micro-segmented subnet. That will be possible with Application Security Groups.

New Load Balancer

Increased customer consumption and the arrival of availability zones meant that we needed a new layer-4 load balancer in Azure. So we got one:

  • 10x more virtual machines, increasing from the maximum backend of 100 to 1000 virtual machines
  • Supporting availability zone high availability using anycast IP addresses – a single frontend IP address that can span availability zones
  • HA ports that simplify network virtualization appliance (NVA) high availability
  • More health and metrics

Virtual Machine Networking Speeds

Accelerated Networking enables extremely fast virtual machine networking with the maximum speed now reaching 30Gbps. Support has been expanded to include virtual machines with 4 vCPUs.

Data Plane Data Kit (DPDK) Developer Preview

I’ll be honest, this flew right over my head. According to Intel, DPDK:

… greatly boosts packet processing performance and throughput, allowing more time for data plane applications.

The work that Azure is doing is aimed at NVAs, such as virtual firewalls. This is probably to reduce the amount of time that the CPU spends processing packets and to give customers more bang for their buck. Microsoft partners that produce NVAs can apply to join the preview.


The WAN solution for connection to Azure is getting some new features:

  • Merged public and Microsoft peerings
  • Support for route filters
  • IPv6 support for Microsoft peering
  • End-to-end monitoring using a new feature called Network Performance Monitor for ExpressRoute

Point-to-Site VPN

I have got a customer that will be happy with this news:

  • There is support for MacOS clients now. There wasn’t in the past.
  • AD/RADIUS authentication will be supported.

Site-to-Site VPN

Some improvement that will be in preview:

  • The ability to apply custom IPsec/IKE policies
  • A feature allowing you to download scripts for configuring on-premises VPN devices

Azure DNS

Not many know that Azure has a DNS hosting service that is really easy to use. It offers great performance by being replicated to every Azure region. Up to now, you could only host public domains in Azure DNS.
Azure DNS is adding (soon) support for private DNS domains. You can bring your private company zones to Azure, co-host public and private zones with the same domain names, and eliminate the need to deploy DNS servers.

Traffic Manager Monitoring

You can use Traffic Manager to scale out deployments across regions, non-Azure endpoints, and for failover between Azure and non-Azure endpoints. Some new monitoring capabilities are being added to improve end-user performance and to assist with your understanding of traffic flow and patterns.