Azure 클라우드 — 네트워크

AZ-304, AZ-303 Azure Cloud Architect 자격증 준비(1)

네트워크 망 형성 (virtual networking)

트래픽 관리 (load balancing and network security)

참고

공식문서 각 Chapter의 Overview, Concept 위주로 공부했습니다.

1. Virtual Network

a way resources can communicate with each other inside Azure → Having the resources inside a single virtual network: all resources within a virtual network can communicate in the private address space.

VNET

생성 방법: address space를 설정한 후, subnet을 설정해줍니다. ARM template을 이용해, 같은 구성의 네트워크를 쉽게 생성할 수도 있습니다.

서로 다른 vnet 을 연결하려면 별도의 설정이 필요합니다.

VNET Peering

connect virtual networks together using Virtual Network Peering across regions.
→ be able to communicate on all ports

Site-to-Site VPN

this is used to on-premise infrastructure to Azure Virtual Networks
An ASCII string secret is used to authenticate between the VPN device and the VPN gateway.

Point-to-Site VPN

Point-to-site connections get established from a client machine, such as a desktop computer connecting to the VPN.

Network Security Groups

this is used to control traffic flowing into and out of Azure Virtual Machines.

  • 215.11.0.0 to 215.11.255.255 : this address range is routable over the internet.
  • Typical components involved in a network design do include a VM, subnet, firewall, and load balancer.

Firewall

monitoring network traffic and enforcing policies you define.

Traffic Routing

You can create custom, or user-defined(static), routes in Azure to override Azure’s default system routes, or to add additional routes to a subnet’s route table.
virtual appliance : all traffic from the Azure virtual machines will be directed to the on-premises virtual appliance : Virtual network, routing table
To control incoming traffic from the perimeter network and allow only traffic that meets security requirements to pass through.
→ how to deploy virtual appliance: You can configure a Windows virtual machine and enable IP forwarding after routing tables, user-defined routes, and subnets have been updated. Or you can use a partner image from Azure Marketplace.

Vnet Service Endpoint

It extends your virtual network private address space and the identity of your VNet to the Azure services, over a direct connection. Endpoints allow you to secure your critical Azure service resources to only your virtual networks. Traffic from your VNet to the Azure service always remains on the Microsoft Azure backbone network. (accessible from one specific Azure Virtual Network)

예제)

The IT apartment at your company recently enabled forced tunneling. Since the configuration change, developers have noticed degraded performance when they access the database. You need to recommend a solution to minimize latency when accessing the database. minimize the costs.

Traffic Routing

You can create custom, or user-defined(static), routes in Azure to override Azure’s default system routes, or to add additional routes to a subnet’s route table.
virtual appliance : all traffic from the Azure virtual machines will be directed to the on-premises virtual appliance : Virtual network, routing table

Subnet

The address space for the Virtual network should not conflict with the address space for the on-premise network. Virtual network의 일부를 Subnet network로 쓴다.

2. Load Balancing

High Availability를 위해 하나의 VM을 사용하는 것보다는, 여러개의 VM에 traffic을 분산하는 방법을 사용합니다. 이런 기능을 지원하는 4가지 서비스가 있는데, 각각 지원하는 네트워크 계층과 VNET의 범위가 다릅니다.

load balancing 서비스는 생성할 때, 프론트엔드 설정 → 백엔드 풀 설정 → routing rule 설정 순서로 진행됩니다.

SLA가 99.99%면 1달에 4분미만의 서버 중지, 99.95%면 1달에 8분미만의 서버 중지 시간이 보장됩니다.

Load Balancer

Five-tuple hash is the default.

같은 VNET, 네트워크 4계층(IP)

기본은 무료이지만, standard 이후부터는 과금됩니다. (SKU — 과금 정책)

출처: Azure Documentation

Application Gateway(Application load balancer)

다른 VNET도 가능, 네트워크 7계층(HTTP — URL) → HTTPS(SSL offloading)
→ If you are looking for Transport Layer Security (TLS) protocol termination (“SSL offload”) or perHTTP/HTTPS request, application-layer processing, review Application Gateway. It supports capabilities such as SSL termination, cookie-based session affinity, and round robin for load-balancing traffic. Load Balancer load-balances traffic at layer 4 (TCP or UDP).

Application Gateway follows a round-robin approach, distributing requests to each available server in a backend pool in turn.

Point(기기)-to-Site(VNET), Site-to-Site 연결 모두 지원

secure the web applications with a firewall that protects against common web-based attacks including SQL injection, cross-site attacks, and session hijacks.

Web application firewall protects web applications from common vulnerabilities and exploits. Application Gateway web application firewall (WAF) protects web applications from common vulnerabilities and exploits. This is done through rules that are defined based on the OWASP core rule sets 3.0 or 2.2.9. There are rules that detects SQL injection attacks.

출처: Azure

FrontDoor Service(Global load balancer)

서로 다른 region(data center)

→ TLS termination
→ supports SSL termination and can be used to route traffic to the different clusters.

Routing architecture: Azure Front Door supports the X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto headers.

Azure Front Door is an Application Delivery Network (ADN) as a service, offering various layer 7 load-balancing capabilities for your applications.

Azure Front Door supports HTTP, HTTPS and HTTP/2.

Applications can be authorized through OAuth 2.0.

출처: Azure

Azure front Door enables you to define, manage and monitor the global routing for your web traffic by optimizing for best performance and quick global failover for high availability. With Front Door, you can transform your global consumer and enterprise applications into robust, high-performing personalized modern applications with contents that reach a global audience through Azure.

Front Door works at Layer 7 (HTTP/HTTPS layer) using anycast protocol with split TCP and Microsoft’s global network to improve global connectivity. Based on your routing method you can ensure that Front Door will route your client requests to the fastest and most available application backend. An application backend is any Internet-facing service hosted inside or outside of Azure. Front Door provides a range of traffic-routing methods and backend health monitoring options to suit different application needs and automatic failover scenarios. Similar to Traffic Manager, Front Door is resilient to failures, including failures to an entire Azure region.

Traffic Manager(DNS-based load balancer)

서로 다른 region(data center), DNS-based traffic load balancer

Grant administrators access to the operating system to install custom application dependencies.

예제

  • Provide access to the full .NET framework, Provide redundancy if an Azure region fails, Grant administrators access to the operating system to install custom application dependencies → you should deploy an Azure virtual machine to two Azure regions, and you create a Traffic Manager profile

예제

Provide access to the full .NET framework. Provide redundancy if an Azure region fails. Grant Administrators access to the operating system to install custom application dependencies. → You need to deploy two Azure virtual machines to two Azure regions, but also create a Traffic Manager profile.

  • Increase Application availability
    Traffic Manager delivers high availability for your critical applications by monitoring your endpoints and providing automatic failover when an endpoint goes down.
  • Improve application performance
    Azure allows you to run cloud services and websites in data centers located around the world. Traffic Manager can improve the responsiveness of your website by directing traffic to the endpoint with the lowest latency.
출처: Azure

Priority traffic-routing method: automatically failover the web application if it detects a failure in the primary region.

출처: Azure

Often an organization wants to provide reality for its services by deploying one or more backup services in case their primary service goes down. The ‘Priority’ traffic-routing method allows Azure customers to easily implement this failover pattern (not through traffic manager)

3. Network Security

Firewall

출처: Azure

Firewall Manager(Network Security Management)

출처: Azure

Web Application Firewall(WAF)

SQL injection, cross-site scripting 와 같은 공격으로부터, 보호해줍니다.

출처: Azure

IP firewall rules

These rules enable clients to access your entire Azure SQL server, that is, all the databases within the same SQL Database server. These rules are stored in the master database. Server-level IP firewall rules can be configured by using the portal or by using Transact-SQL statements. To create server-level IP firewall rules using the Azure portal or PowerShell, you must connect to the SQL Database instance as the server-level principal login or the Azure Active Directory administrator.

Bastion(Secure access to VM)

RDP, SSH 통신은 서버에 직접 접속해, 여러가지 프로그램을 설치하거나 삭제할 수 있음으로 포트가 열려 있으면, 보안상 매우 위험합니다. Bastion 서비스를 서버에 설치하면, Bastion을 통해 서버와 RDP통신이 가능합니다.

Bastion을 생성하려면, VNET에 Bastion의 Subnet을 설정해야한다.

Private Link(Private access to service)

Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary. You can create your own private link service in your virtual network and deliver it to your customers. Setup and consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared partner services.

DDos Protection

Rate Limiting : Protect an API by adding rate limit policy (throttling)

Network Security Groups

You can use Network Security Groups to define the traffic flow rules into and out of Virtual Machines.

4. 하이브리드 클라우드

VPN Gateway

There should be an encrypted connection.

VPN Gateway is less expensive than ExpressRoute and is better suited to smaller traffic volumes.

A VPN gateway can be configured as a failover route if there’s a loss of connectivity to an ExpressRoute circuit. → To provide a redundant failover connection
A VPN gateway sends encrypted traffic between an on-premises network and the Azure network over the public internet.
Both services have redundancy support when they are added to an Azure availability zone.

출처: Azure

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure.

  1. Create a virtual network
  2. Create a VPN Gateway
  3. Create a local network gateway
  4. Create a VPN Connection
  5. Verify the connection
  6. Connect to a virtual machine

Express Route

Layer 3(라우터 — Dynamic Routing) connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider.

The limit is based on the SKU and size of the ExpressRoute circuit. At present, 100 is the maximum for all.

A circuit provides a physical connection for transmitting data through the ExpressRoute provider’s edge routers to the Microsoft edge routers.

A point-to-point Ethernet connection is used to connect on-premises datacenters and offices to Azure through a point-to-point Ethernet link.

A 100 Gbps bandwidth circuit is currently the maximum available with ExpressRoute.

ExpressRoute works in an active-active state.

Global Network 지원(Premium)
→ private but nor encrypted

It provides a dedicated, private connection between your on-premises resources and Azure. Extra security is possible by adding network security appliances between edge routers.

Ensure that all ExpressRoute resources are created in a resource group
→ An Azure policy assignment at the subscription level that has an exclusion.

Delegate the creation of the ExpressRoute Resources to Networking.
→ A custom RBAC role assignment at the level of RG1 Azure Role-Based access Control(RBAC) is the authorization system you use to manage access to Azure Resources. To grant access, you assign roles to users, groups, service principals, or managed identities at a particular scope.

Implement Azure Express Route and Configure a routing table. Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the

출처: Azure

Azure Virtual WAN

출처: Azure

Azure Peering

A collaboration platform with service providers and a value-added service that’s intended to offer optimal and reliable routing to the customer via service provider partners to the Microsoft cloud over the public network.

It enables you to connect your on-premises network to Office 365 services and Dynamics 365.

출처: Azure

5. 캐시

Content Delivery Network(CDN)

this is used for content delivery.

CDN type settings

Dynamic compression: gzip

6. DNS

Azure DNS

Azure Private DNS

Azure 프라이빗 DNS는 사용자 지정 DNS 솔루션을 추가하지 않고도 가상 네트워크의 도메인 이름을 관리하고 확인할 수 있는 안정적이고 신뢰할 수 있는 DNS 서비스를 제공합니다. 프라이빗 DNS 영역을 사용하면 현재 Azure에서 제공하는 이름 대신 사용자 고유의 사용자 지정 도메인 이름을 사용할 수 있습니다. 사용자 지정 도메인 이름을 사용하면 조직의 요구 사항에 가장 적합하도록 가상 네트워크 아키텍처를 조정할 수 있습니다. 가상 네트워크 내에서 그리고 가상 네트워크 간에 VM(가상 머신)에 대한 이름을 확인할 수 있게 해줍니다. 또한 분할-수평 보기를 사용해 영역을 구성할 수도 있습니다. 그러면 프라이빗 DNS 영역과 공용 DNS 영역이 이름을 공유할 수 있습니다.

가상 네트워크에서 프라이빗 DNS 영역의 레코드를 확인하려면 가상 네트워크를 해당 영역과 연결해야 합니다. 연결된 가상 네트워크는 전체 액세스 권한을 가지며 프라이빗 영역에 게시된 모든 DNS 레코드를 확인할 수 있습니다.

7. Monitor

Network Watcher

Azure Network Watcher provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. Network Watcher is designed to monitor and repair the network health of IaaS.

  • Connection troubleshoot displays the latency associated with each hop in a route.
  • The Network Watcher Agent VM Extension is required when you capture traffic on a VM. It’s automatically installed when you start a packet capture session in the Azure portal.
  • Manage packet captures

Template deployment

With Resource Manager, you can create a template that defines the infrastructure and configuration of your Azure solution. By using a template, you can repeatedly deploy your solution.
Use JSON Template to create the resources. Place the shared resources in one resource group and the application-specific resources in a separate resource group.

hub-spoke architecture

The hub becomes the core of the business and provides the foundations for much deeper business insight.

예제)

The Azure virtual machines on Subnet1 must be accessible only from the computers in the London Office : A site-to-site VPN

Engineers require access to the Azure virtual machines on Subnet2 over the internet on a specific TCP/IP management port: NSG(A network security groups)

The Azure virtual machines in the west europe region must be able to communicate on all ports to the azure virtual machins in the north Europe region. (VM과 VM 사이에 통신): virtual network peering

Border Gateway Protocol

BGP is an optional feature you can use with Azure Route-Based VPN gateways. You should also make sure your on-premises VPN devices support BGP before you enable the feature. You can continue to use Azure VPN gateways and your on-premises VPN devices without BGP. It is the equivalent of using static routes (without BGP) vs. using dynamic routing with BGP between your networks and Azure.

  • Support automatic and flexible prefix updates
  • Support multiple tunnels between a VNet and an on-premises site with automatic failover based on BGP
  • Support transit routing between your on-premises networks and multiple Azure VNets

Each on-premises site has Azure ExpressRoute circuits to both regions.

  • Outbound traffic to the Internet from workloads hosted on the virtual networks must be routed through the closest available on-premises site.
    → Routing from the virtual networks to the on-premises locations must be configured by using.
  • If an on-premises site fails, traffic from the workloads on the virtual networks to the Internet must reroute automatically to the other site.
    → The automatic routing configuration following a failover must be handled by using.

Accelerated networking

100 Standard_F2s_v2 Azure Virtual machines. increase the network performance of the workloads running on the virtual machines. CPU-to-memory ratio must remain the same. The solution must minimize costs.
→ Enable accelerated networking

예제)

Azure logic app. prevented from accessing the internet an Azure logic App named Logic App1 requires write access to a database on Server1.
An On-premises data gateway
An Azure Event Grid domain

IPv4: 192.168.0.0 : 사적인 용도 IP.

192.168.0.0 는 일반적으로 휴대폰, 데스크탑, 랩톱, TV, 스마트 스피커 및 기타 장치에 할당되는 인트라넷 IP 주소입니다. All Azure virtual machines must be placed on the same subnet subnet1. All the Azure virtual machines must be able to communicate with all on premises severs. The servers must be able to communicate between the on-premises network and Azure by using a site to site VPN.
→ subnet1: 192.168.0.0/24
→ Gateway subnet: 192.168.1.0/28

IT Service Management Connector (ITSM)

You plan to deploy several services to Azure. You need to recommend a solution to push Azure service hearth alerts to Service Manager.

I will be a software architect.