Microsoft Virtual Academy

Design Microsoft Azure

infrastructure and networking
Michael Withrow| Cloud Solution Architect
Walter Myers| Cloud Solution Architect

Meet Michael Withrow| @mwithrow

Cloud Solution Architect
Previously in Microsoft Consulting Services for last
6+ years focused on Private\Hybrid\Public Cloud
Deep focus on Azure from an IT Pro and developer
perspective

Over 15 years of industry experience

US Army, General Dynamics, Hewlett-Packard (HP)
Frequent speaker at internal and industry conferences on a
variety of cloud related topics

Meet Walter Myers III

Cloud Solution Architect, Microsoft
21 years with Microsoft Consulting Services
Microsoft Americas Azure Community Lead

Over 25 years of industry experience

Azure enterprise: American Express, Toyota, Amgen,
Baxter
Focused on Azure since inception

PaaS Application Development

IaaS Migrations
Virtual Networking
System Center and Azure

Blog: http://blogs.msdn.com/walterm

Course Topics
Design Microsoft Azure infrastructure and
networking
01 |

Understand Azure datacenter

architecture, regional availability, and high
availability

02 |

Design Azure virtual networks, networking

services, DNS, DHCP, and IP addressing
configuration

03 |

Design Azure compute

04 |

Describe Azure virtual private network

(VPN) and ExpressRoute architecture and design

05 |

Describe Azure services

Setting Expectations
Target Audience
IT Pros
Anyone taking the 534 exam

Suggested Prerequisites/Supporting Material

Experience with Microsoft Azure
534 Exam Study Guide

Join the MVA Community!

Microsoft Virtual Academy
Free online learning tailored for IT Pros and Developers
Over 1M registered users
Up-to-date, relevant training on variety of Microsoft
products

Microsoft Virtual Academy

01 | Understand Azure datacenter

architecture, regional availability, and
high availability
Michael Withrow| Cloud Solution Architect
Walter Myers| Cloud Solution Architect

Click to edit
Master subtitle
style

Module Overview
Data Center Architecture
Global Presence

Datacenter Architecture
Region can be comprised of multiple datacenters
Datacenters are divided into clusters
Each rack provides a unit of fault isolation
Datacente
r
Routers

Aggregation Routers
and
Load Balancers

Ag
g

Cluster 1
Cluster
Network
Aggregation

Ag
g

Cluster 2

Ag
g

Ag
g

Cluster 3

Ag
g

Cluster 5

Cluster 4

Ag
g

Ag
g

Ag
g

Ag
g

PDU

PDU

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

TOR

Servers

PDU

TOR

Servers

PDU

TOR

Servers

Power
Distribution
Units

TOR

Servers

Racks

TOR

Servers

Top of Rack
Switches

PDU

Inside a Physical Server

CPU, memory, disk & networking resources are committed when
allocating the service.
TOR Switch
Fabric Controller

Physica
l Server

PDU

CPU

CPU

CPU

VM
CPU

PaaS VM
Role
Instance

PaaS VM
Role
Instance

Guest Agent

Guest Agent

Trust boundary

Host Partition
FC Host Agent

To Fabric Controller

VM

VM

CPU

CPU

IaaS VM
Role

CPU

CPU

Unallocat
ed CPUs

Global Presence
North America Region

West
U.S. Sub-Region

N. Central
U.S. Sub-Region

Europe Region
N. Europe
SubRegion

East
U.S. SubRegion

W. Europe
SubRegion

S. Central
U.S. Sub-Region

24 x 7 x 365 support.

NE. China (via

21Vianet)
Sub-Region

East Japan
Sub-Region
West Japan
Sub-Region

E. Asia
Sub-Region

Major datacenter
CDN node
Live sub-region
Announced sub-region
Partner-operated subregion

Asia Pacific Area

E. China (via
21Vianet)
Sub-Region
S.E. Asia
Sub-Region

East
Australia
Sub-Region

LATAM
Sub-Region

Southeast
Australia
Sub-Region

89 markets worldwide.
months.

2x Compute and storage every six

Microsoft Virtual Academy

02 | Design Azure virtual networks,

networking services, DNS, DHCP, and IP

addressing configuration
Michael Withrow| Cloud Solution Architect
Walter Myers| Cloud Solution Architect

Click to edit
Master subtitle
style

Module Overview
Internet Connectivity
Intra-Region Communication
Cross-Premises Communication
ExpressRoute
Virtual Appliance and Partner EcoSystem
Hybrid Networking Services

Internet
Connectivity

IP Reservation
IP reservation
Reserve public IP addresses
from Azures pool

With VIP reservation

Befor
e
Internet

You have control over the IP

addresses till you release
them

Internet

Reserved
IP

To IP
Microsoft Azure

Microsoft Azure
LB

LB

Assign IPs to cloud services

Move IP addresses across
cloud services

Cloud
service
VIP
VM1

VM2

DIP2
IP: <portDIP1
x> DIP1:<port
y> OR
DIP2:<port y>

VM1

DIP1

Cloud
service
Reserved
VIP

VM2

DIP2

Traffic Manager: DNS-based Load

Balancing

www.yourapp.com

Load balancing policies

Performance - Direct to closest service based on
network latency
Round-robin - Distribute equally across all services
Failover - Direct to backup service if primary fails

Traffic Manager Nested Profiles

Enable richer profiles with greater flexibility for
large/complex deployments
Level 1: Route to users
nearest Geo (US, EU,
ASIA)

Example: Crossregion failover

within a Geo, plus
in-region flighting

Level 2: Route to nearest

Region, with cross-region
failover within the Geo
Level 3: Load-balance
within the region, divert
1% for flighting

US West

US East

Europe North

Cloud Services

Europe West

Intra-Region
Communication

Internal
balancing
(ILB)(ILB)
Internalload
load
balancing
Enables load balancing
among VMs with private
IP addresses
Accessible only from

Internet

Microsoft
Azure

Within customers cloud service

Customers Vnets
Customer's on-premises Vnets
Public VIP

Multi-tier applications
with internal facing tiers
require ILB
HA LOB apps
SQL Always On
RDP to internal endpoints
for added default
security

Customer Virtual Network

External
load
balancer

Customer
on-premises
Internal
VIP
Internal
load
balancer

Back end

Front end

Web frontend tier

Logic tier

Cross-premises
Communication

Multi-site VNet connectivity

With multi-site Vnet
Connectivity

Befor
e

Multiple Site-to-Site
connections

Connect to multiple

Multiple on-premises sites connect to

same virtual network
Sites may be geographically dispersed
Connect up to 10 sites to a virtual
network securely over IPsec

VNet1
US
West

VNet2
East
Asia

VNet1
US
West

on-premises
locations

VNet2
East
Asia

One-to-one
connection

Contoso NorthAm
HQ (10.0.0.0/16)

Contoso NorthAm
HQ (10.0.0.0/16)

Contoso East Asia

(10.3.0.0/16)

Cross-region VNet connectivity

Cross-region VNET connectivity
to
any Azure region
For HA and DR, customers create virtual
networks in different Azure regions
Scenario: SQL AlwaysOn sync to crossregion replicas

Cross-subscription connectivity
Virtual networks in different
subscriptions can securely
communicate using private IP
addresses
Scenarios: Cross-division/dept.
workload communication; B2B
transactions in the cloud

With multi-site and

cross-region VNet to VNet

Befor
e

Connect to multiple
on-premises
locations and to
other VNets
VNet1
US
West

VNet2
East
Asia

VNet1
US
West

VNet2
East
Asia

One-to-one
connection

Contoso NorthAm
HQ (10.0.0.0/16)

Contoso NorthAm
HQ (10.0.0.0/16)

Contoso East Asia

(10.3.0.0/16)

ExpressRoute

Customers want Azure on their network

Branch Office 2

Branch office 2
Azure

Branch office 1

WA
N

Corp HQ

Azure

Branch office 1

Public
internet

IPsec VPN over Internet

Encrypted data traverses Internet to reach
Azure
Limited bandwidth and higher availability

WA
N
Public
internet

Corp HQ

Cloud on your WAN

Traffic flows directly from customer WAN to
Azure
Reduces complexity
Provides lower latency, higher bandwidth and
greater availability

ExpressRoute Locations
Locations
US
Atlanta
Chicago
Dallas
Los Angeles
New York
Seattle
Silicon Valley, CA
Washington D.C.
EMEA
Amsterdam
London, UK
APAC
Hong Kong
Singapore
Sydney
Tokyo

Partners

AT&T
British Telecom
Colt
Equinix
Internet Initiative Japan
(IIJ)
Level3
Orange
SingTel
Tata Communications
Telecity Group
Telstra
Verizon

Azure datacenters
ExpressRoute Locations (today)
New Locations and coming soon

Path Diversity for HA and DR

One VNet can be linked to many
circuits

North
Europe

West
Europe

Each circuit can be through different

service providers in different
locations

London

Amsterda
m

HA + DR = Active-active in 1 location
+ active-active in 2nd location
Aggregate Throughput determined
by VNet Gateway size

Sharing ExpressRoute Connections

Share an ExpressRoute circuit across other
subscriptions
Circuit owner must authorize and can revoke

Microsoft Azure

Owner gets billed

for usage
On-premises
Network

SQL Farm

IIS Servers

Storage

SQL DB

Websites

Proxy /
Interner edge
AD / DNS

AD / DNS

Monitoring

IT

ExpressRoute

Exchange
AD / DNS

Sales

AD / DNS

R&D

AD / DNS

Marketing

Virtual
Appliance
Platform &
Ecosystem

Multiple NICs in Azure VMs

Multiple NICs enable
virtual appliances in Azure

Up to 4 NICs per
VM
Azure Virtual Machine

MAC/IP addresses persist

through VM life cycle

NIC2
10.2.3.33

NIC1
10.2.2.22

Defaul
t

10.2.1.11

VIP:
133.44.55.66

Separate frontendbackend traffic, and

management-data planes

Internet
Backend
Subnet

App
Subnet

Frontend
Subnet

Azure Virtual Network

Bring Your Appliances to the Cloud

Building blocks
Multiple NICs
MAC address persistence

Appliance
ecosystem
Barracuda NG Firewall
Citrix NetScaler
Riverbed Steelhead, SteelApp,
SteelStore
More to come!

Azure Certified

Hybrid
Networking
Services

Microsoft Azure hybrid offerings

Cloud

Customer

Secure point-to-site
connectivity

Secure site-to-site
VPN connectivity

ExpressRoute
private connectivity

Segment and workloads

Developers
POC Efforts
Small scale
deployments
Connect from
anywhere
SMB, Enterprises
Connect to Azure
compute

SMB & Enterprises

Mission critical workloads
Backup/DR, media, HPC
Connect to all Azure
services

Network Security Groups (NSG)

Enables network
segmentation & DMZ
scenarios
Access Control List
Filter conditions with allow/deny

On Premises 10.0/16

Internet
S2S
VPNs

Individual addresses, address

prefixes, wildcards

Associate with VMs or

subnets
ACLs can be updated
independent of VMs

Internet

VPN
GW

Backend
10.3/16

Mid-tier
10.2/16

Virtual Network

Fronten
d
10.1/16

Forced Tunneling
Force or redirect
customer Internet-bound
traffic to an on-premises
site
Auditing & inspecting
outbound traffic from
Azure
Needed by many
scenarios for critical
security and IT policy
requirements

On Premises

Internet
S2S
VPNs

Forced Tunneled
via S2S VPN

Internet

VPN
GW

Backend
10.3/16

Mid-tier
10.2/16

Virtual Network

Fronten
d
10.1/16

Gateway Enhancements
High Performance
Gateway

No Encryption
option

Better throughput
More S2S tunnels
Pricing

Better throughput for Vnet-toVnet within Azure

Intra-/Inter-region Vnet-to-Vnet
traffic stays within Microsoft
networks, not Internet

$0.49 per gateway hour

Data transfer & VNet traffic rates
unchanged

Gateway
SKU

ExpressRoute S2S
Throughput* Throughput
*

Max
Tunnels

Default

500 Mbps

10

100 Mbps

Performanc 1000 Mbps

200 Mbps
30
ubject
e to traffic conditions and application behavior

PFS Support for

IKE
Compliance requirements &
better security

Operations Logs

EW
N

Virtual Network VPN Ecosystem

Microsoft Virtual Academy

03 | Design Azure compute

Michael Withrow| Cloud Solution Architect

Walter Myers| Cloud Solution Architect

Click to edit
Master subtitle
style

Module Overview
Virtual Machines
Virtual Machine Availability
VM Extensions

Virtual Machines: IaaS vs PaaS

Worker Role (PaaS)

Virtual Machine (IaaS)

Storage

Non-Persistent Storage

Persistent Storage
Easily add additional storage

Deployment

Stock VHDs

Build VHD directly in the cloud or build the

VHD offsite and upload

Networking

Internal and Input Endpoints

configured through service model.

Internal Endpoints are open by default.

Access control with firewall on guest OS.
Input endpoints controlled through portal,
service model or API/Script.

Primary Use

Stateless scale-out applications

Applications that require persistent storage

to easily run in Windows Azure.

Images Available
Windows Server
SQL Server
BizTalk Server
SharePoint
Ubuntu
OpenSUSE
CentOS
SUSE Linux Enterprise Server
Oracle Linux

Virtual Machine Sizes

Compute Instance
Name

Virtual
Cores

RAM

Extra Small (A0)

Shared

768 MB

Small (A1)

1.75 GB

Medium (A2)

3.5 GB

Large (A3)

7 GB

Extra Large (A4)

14 GB

A5

14 GB

A6

28 GB

A7

56 GB

A8

56 GB

A9

16

112 GB

Compute
Instance
Name

Virtual Cores RAM

Compute
Instance
Name

Virtual
Cores

RAM

D1

3.5 GB

G1

28 GB

D2

7 GB

G2

56 GB

D3

14 GB

G3

112 GB

D4

28 GB

G4

16

224 GB

D11

14 GB

G5

32

448 GB

D12

28 GB

D13

56 GB

D14

16

112 GB

http://azure.microsoft.com/enus/pricing/details/virtual-machines/

Each Persistent Data Disk Can be up to 1 TB with up to 16 disks

per VM

Disk Storage
Images and disks are stored as Microsoft Azure Storage Blobs
Data is triplicated (within one Azure datacenter, optional geo-replication
of blobs to a second datacenter; note this is not replication of the VM,
just the blobs holding the VHD)
All existing storage tools just work

Windows Azure Storage

Virtual Machine
Availability

Service Level Agreements

99.9% for single role instances
8.75 hours of downtime per year

99.95% for multiple role

instances
4.38 hours of downtime per year

Whats included

Compute Hardware failure (disk, cpu, memory)

Datacenter failures - Network failure, power failure
Hardware upgrades, Software maintenance Host OS
Updates

What is not included

VM Container crashes, Guest OS Updates

How Does this Relate to SLA?

Availability set

SQL
Server
Secondar
y

SQL
Server
Primary
Virtual Machine

Virtual Machine

SLA 99.95

Fault and Update Domains

Fault Domains
Represent groups of resources anticipated to fail together
i.e. Same rack, same server
Fabric spreads instances across fault at least 2 fault domains

Update Domains
Represents groups of resources that will be updated together
Host OS updates honour service update domains
Specified in service definition
Default of 5 (up to 20)

Fabric Controller spreads role instances across Update Domains

and Fault Domains

Fault and Update Domains

Fault Domain
Rack
UD #1

Fault Domain
Rack
Web Role

UD #2

INSTANCE

INSTANCE

INSTANCE

INSTANCE

UD #1

Worker Role

UD #2

INSTANCE

INSTANCE

INSTANCE

INSTANCE

VM Extensions
Extending the power of your VM

IaaS, meet
PaaS

Enable easier management

Support partner ecosystem
Full control still with you!

Agent

Azure

Curated
Extension
s

Microsoft Virtual Academy

05 | Describe Azure Services

Michael Withrow| Cloud Solution Architect

Walter Myers| Cloud Solution Architect

Click to edit
Master subtitle
style

Module Overview
High Level Overview of Azure Services

The benefits of PaaS

PaaS is faster
Reason: Theres less work for developers to do
Benefit: Applications can go from idea to availability more quickly

PaaS is cheaper
Reason: Theres less admin and management work to do
Benefit: Organizations spend less supporting applications

PaaS is lower risk

Reason: The platform does more, leaving fewer opportunities for error
Benefit: Creating and running applications gets more reliable

Microsoft Azure components

Compute
Virtual Machines
Web Sites
Mobile Services
Cloud Services
Web Roles
Worker Roles

Data Services
Storage
SQL Database
HDInsight
Cache
Redis

Backup
Recovery Manager

App Services
Media Services
Service Bus
Notification Hubs
Scheduler
Automation
BizTalk Services
BizTalk Hybrid Connections
Visual Studio Online
Active Directory
Multi Factor Authentication
API Management
Azure RemoteApp

Network

ExpressRoute
Virtual Network
Traffic Manager
CDN

SDKs

.NET
Java
PHP
Python
Node.js
Ruby

Multiple languages

Open source

http://github.com/windowsazure

Other Azure
Services

SQL database

DB

Relational SQL Server Engine in the Cloud

Clustered for high availability
Fully Managed Service
SQL Reporting support

Blob storage

Highly available, scalable and secure file

system
Blobs can be exposed publically over http
Continuous geo-replication across
datacenters

Cache

Low latency, in-memory distributed cache

Dynamically grow and shrink cache size
High availability support
Memcached protocol support

Redis Cache
This new cache service gives customers the ability to use a
secure, dedicated Redis cache, managed by Microsoft.
With this offer, you get to leverage the rich feature set and
ecosystem provided by Redis, and reliable hosting and
monitoring from Microsoft.
We are offering the Azure Redis Cache Preview in two tiers:
Basic A single Cache node (ideal for dev/test and noncritical workloads)
Standard A replicated Cache (Two nodes, a Master and a
Slave)
You can migrate from Shared Cache today to Redis cache

Identity

Integrate with enterprise identity

Enable single sign-on within your apps
Enterprise Graph REST API
93% of Fortune 1000 use Active Directory

Service bus

Secure messaging and relay capabilities

Easily build hybrid apps
Enable loosely coupled solutions

2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered
trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of
Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.