Azure Virtual Network (VNet) is the fundamental building block for any customer network. VNet lets you create your own private space in Azure, or as I call it your own network bubble. VNets are crucial to your cloud network as they offer isolation, segmentation, and other key benefits. Read more about VNet’s key benefits in our documentation, “What is Azure Virtual Network?”
With VNets, you can connect your network in multiple ways. You can connect to on-premises using Point-to-Site (P2S), Site-to-Site (S2S) gateways or ExpressRoute gateways. You can also connect to other VNets directly using VNet peering.
Customer network can be expanded by peering Virtual Networks to one another. Traffic sent over VNet peering is completely private and stays on the Microsoft Backbone. No extra hops or public Internet involved. Customers typically leverage VNet peering in the hub-and-spoke topology. The hub consists of shared services and gateways, and the spokes comprise business units or applications.
Today I’d like to do a refresh of a unique and powerful functionality we’ve supported from day one with VNet peering. Gateway transit enables you to use a peered VNet’s gateway for connecting to on-premises instead of creating a new gateway for connectivity.
Today we are excited to launch two new key capabilities to Azure Firewall.
Threat intelligence based filtering Service tags filtering
Azure Firewall is a cloud native firewall-as-a-service offering which enables customers to centrally govern all their traffic flows using a DevOps approach. The service supports both application (such as *.github.com), and network level filtering rules. It is highly available and auto scales as your traffic grows.
Threat intelligence based filtering (preview)
Microsoft has a rich signal of both internal threat intelligence data, as well as third party sourced data. Our vast team of data scientists and cybersecurity experts are constantly mining this data to create a high confidence list of known malicious IP addresses and domains. Azure firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed. The Microsoft Intelligent Security Graph powers Microsoft Threat Intelligence and provides security in multiple Microsoft products and services, including Azure Security Center and Azure Sentinel.
Threat intelligence-based filtering is default-enabled in alert mode for all Azure Firewall deployments, providing logging of all matching indicators. Customers can adjust behavior
A network virtual appliance (NVA) is a virtual appliance primarily focused on network functions virtualization. A typical network virtual appliance involves various layers four to seven functions like firewall, WAN optimizer, application delivery controllers, routers, load balancers, IDS/IPS, proxies, SD-WAN edge, and more. While the public cloud may provide some of these functionalities natively, it is quite common to see customers deploying network virtual appliances from independent software vendors (ISV). These capabilities in the public cloud enable hybrid solutions and are generally available through the Azure Marketplace.
What exactly is the network virtual appliance in the cloud?
A network virtual appliance is often a full Linux virtual machine (VM) image consisting of a Linux kernel and includes user level applications and services. When a VM is created, it first boots the Linux kernel to initialize the system and then starts up any application or management services needed to make the network virtual appliance functional. The cloud provider is responsible for the compute resources, while the ISV provides the image that represents the software stack of the virtual appliance.
Similar to a standard Linux distribution, the Linux kernel is integral to the NVA’s image and is provided by the ISV often
Over the past few years, SONiC (Software for Open Networking in the Cloud), our open switch OS, has been in the fast lane. A diverse group of community partners have actively engaged with us to contribute and support the evolvement of the software.
SONiC is considered a live organism, always evolving. Microsoft and the community is developing, refining, and making SONiC freely available to anyone running global scale or cloud-type networks or just have a healthy interest in advanced networking.
Being in control of the network fabric and particularly having a hardware agnostic approach across larger heterogenous networks is critical. SONiC was created to provide those foundational attributes we ourselves needed when we set out to build our global network which powers both Azure and our other cloud services.
Recently, SONiC has received several enhancements and updates, along with additions to the ecosystem contributing to SONiC’s success.
Let’s take a look at what is new.
Global support now available
We are excited to see SONiC and its sibling SAI (Switch Abstraction Interface) being adopted by many global network innovators. Recently, both Dell EMC and Mellanox announced that SONiC will feature as switch OS options for customers using their respective hardware
We are excited to announce the general availability of private endpoint in HDInsight clusters deployed in a virtual network. This feature enables enterprises to better isolate access to their HDInsight clusters from the public internet and enhance their security at the networking layer.
Previously, when customers deployed an HDI cluster in a virtual network, there was only one public endpoint available in the form of https://<CLUSTERNAME>.azurehdinsight.net. This endpoint resolves to a public IP for accessing the cluster. Customers who wanted to restrict the incoming traffic had to use network security group (NSG) rules. Specifically, they had to white-list the IPs of both the HDInsight management traffic as well as the end users who wanted to access the cluster. These end users might have already been located inside the virtual network, but they had to be white-listed to be able to reach the public endpoint. It was hard to identify and white-list these end users’ dynamic IPs, as they would often change.
With the introduction of private endpoint, customers can now use NSG rules to separate access from the public internet and end users that are within the virtual network’s trusted boundary. The virtual network can be extended to the on-premise
Azure Application Gateway provides an access log for customers that records traffic patterns and useful information, such as caller’s IP, requested URL, return code, and more. These logs can be pushed to Azure Storage and parsed with different tools for analysis such as Azure Log Analytics, Excel, and Power BI. The level of difficulty in setting up and using these mechanisms largely depends on customers’ familiarity and preferences.
Customers need traffic analytics for a variety of scenarios, some of which are:
Live monitoring during an anticipated high traffic event such as a promotional campaign. Debugging and troubleshooting operational issues, including security incidents. Understand who their customers are based on observed traffic (client stats). Understand which parts or URLs of their application are in high demand (top requested URLs). Understand how well their application is performing (failures and latency).
We are pleased to add to the existing Application Gateway traffic analytics toolkit the integration of Application Gateway access logs with the popular open source GoAccess real-time log analyzer framework via a published Azure Quickstart template. This integration gives customers another choice for deriving insights on AppGW traffic flow. GoAccess presents data in a rich dashboard for multiple output formats such as
This blog was co-authored by Sharad Agrawal, Senior Program Manager, Azure Networking
Every day we see you, our customers, pushing the boundaries of availability, performance and scalability. We hear you asking not just for the ability to scale two times, five times, but 10 times and 100 times instantly, without sacrificing performance or security. These same needs arose in Microsoft’s own cloud journey over the last 10 years and led us to build large, enterprise grade network and application infrastructure to solve reliability, scalability, performance and agility problems across Microsoft. Solving these enterprise-grade challenges for both consumer and enterprise services from Bing, Office, Skype, Azure, etc. led to developing unique infrastructure and services, battle-tested by years of constant support for Microsoft’s largest businesses.
Today, we are excited to bring one of these enterprise-grade services to you as we announce the public preview of our newest addition to the Azure Networking and Azure’s application delivery suite of products, Azure Front Door Service. This service, your application’s new Front Door, is a secure and highly available entry point for delivering your high performance global hyperscale apps.
Front Door provides your web and mobile applications, APIs, and/or cloud services with always-on reliability, high performance,
Announcing: 100 Gbps, fastest connectivity in public cloud and availability of branch connectivity, new cloud native security capabilities and application performance services
As enterprises move ever more demanding mission-critical workloads to the cloud, we strive to provide comprehensive networking services that are easy to deploy, manage, scale, and monitor. Customers continue to ask for better ways to connect to the cloud, better protection of their cloud workloads, optimal application performance delivery, and more comprehensive monitoring services.
In terms of how to Connect, customers have asked for significantly higher bandwidth solutions as they struggle to transit massive amounts of data into the cloud to take advantage of advanced analytics and machine learning. Software Defined Wide Area Networking (SDWAN) holds tremendous promise to reduce costs by intelligently routing more traffic onto the Internet and helping customers better manage connectivity to their branch offices. The concept of the virtual datacenter has taken hold but building such solutions on a global scale remain a challenge. With 54+ Azure regions and more on the way our global network continues to expand to new locations while we increase its overall capacity. Customers have asked us for new ways to take advantage of our global WAN. We
This blog post was co-authored by Anitha Adusumilli, Principal Program Manager, Azure Networking.
We recently made Azure database services for MySQL and PostgreSQL generally available. These services offer the community versions of MySQL and PostgreSQL with built-in high availability, a 99.99 percent availability SLA, elastic scaling for performance, and industry-leading security and compliance on Azure. Since general availability, we have continued to bring new features and capabilities like increased storage and availability across more regions worldwide.
We are excited to announce the general availability of Virtual Network (VNet) service endpoints for Azure Database for MySQL and PostgreSQL in all regions where the service is available for General Purpose and Memory Optimized servers. Visit region expansion for MySQL and PostgreSQL for service availability. VNet service endpoints enable you to isolate connectivity to your logical server from only a given subnet or set of subnets within your virtual network. The traffic to Azure Database for MySQL and/or PostgreSQL from your VNet always stays within the Azure backbone network. Preference for this direct route is over any specific ones that route Internet traffic through virtual appliances or on-premises.
HDInsight enterprise customers work with some of the most sensitive data in the world. They want to be able to lock down access to this data at the networking layer as well. However, while service endpoints have been available in Azure data sources, HDInsight customers couldn’t leverage this additional layer of security for their big data pipelines due to the lack of interoperability between HDInsight and other data stores. As we have recently announced, HDInsight is now excited to support service endpoints for Azure Blob Storage, Azure SQL databases and Azure Cosmos DB.
With this enhanced level of security at the networking layer, customers can now lock down their big data storage accounts to their specified Virtual Networks (VNETs) and still use HDInsight clusters seamlessly to access and process that data.
In the rest of this post we will explore how to enable service endpoints and point out important HDInsight configurations for Azure Blob Storage, Azure SQL DB, and Azure CosmosDB.
Azure Blob Storage
When using Azure Blob Storage with HDInsight, you can configure selected VNETs on a blob storage firewall settings. This will ensure that only traffic from those subnets can access this storage account.
It is important to