Microsoft Azure Networking 1

Azure Networking provides tools and services to securely connect resources in the cloud and
hybrid environments.

Oksana Dudnik | November 2020 | LifeGuide 1

 2
Agenda

•Introduction to Azure Networking

•Key Azure Networking Services
•Azure Virtual Network (VNet)
•Networking Security Solutions
•Load Balancing and Traffic Management
•Connecting On-Premises to Azure
•Monitoring and Optimization
•Real-World Use Cases
 3
Azure Networking Services

1. Azure Virtual Network (VNet):

Private network in Azure for resource communication.
2. Azure Load Balancer:
Distributes Layer 4 traffic (TCP/UDP) across resources.
3. Azure Application Gateway:
Layer 7 HTTP/HTTPS load balancing with Web Application Firewall (WAF).
4. Azure VPN Gateway:
Secure connection between on-premises and Azure via IPsec/IKE VPNs.
5. Azure ExpressRoute:
Private, dedicated connection for enterprise applications.
6. Azure Firewall:
Stateful cloud-based firewall with threat protection.
7. Azure Traffic Manager:
DNS-based traffic routing across global endpoints.
8. Azure Front Door:
Global content delivery and acceleration service for websites.
 4
Azure Virtual Network (VNet)

 Azure Virtual Network is a private network space in Azure that allows Azure resources (e.g., virtual
machines, databases, and applications) to securely communicate with each other and the internet.
 Subnets: Divide VNet into logical sections for better management.
 Private IPs: Assign private IPs to resources for internal communication.
 Public IPs: Allow external access to specific resources (e.g., web servers).
 Network Security Groups (NSGs):Rules to filter inbound and outbound traffic to resources.
 VNet Peering: Connect two VNets for seamless communication. Supports global peering (across
regions).
 Enhanced security and isolation.
 Seamless integration with Azure services.
 Flexibility in scaling network architecture.
 5
Azure Load Balancer

Distributes incoming network traffic across multiple resources (e.g., VMs) to ensure
reliability and availability.
 Operates at Layer 4 (TCP/UDP).
 Balancing web server traffic.
 Providing high availability for applications.
 6
Networking Security Solutions in
Azure
 Azure Firewall:
 Stateful, managed firewall for centralized security
 Features: Threat intelligence, FQDN filtering, SNAT/DNAT.
 Network Security Groups (NSGs):
 Filters traffic at subnet or NIC level.
 Rule-based control using 5-tuple (Source IP, Destination IP, Protocol, Port, Action).
 Azure DDoS Protection:
 Defends against volumetric, protocol, and application-layer attacks.
 Standard: Enhanced protection with attack analytics.
 Load Balancing and Traffic 7
Management

•Operates at Layer 4 (TCP/UDP).

•Scenarios: Distribute traffic to VMs or containers.
• Azure Application Gateway:Layer 7 traffic distribution.
• SSL offloading, URL-based routing, and Web Application Firewall (WAF).
• Ideal for hosting multiple sites with unique rules.
• Azure Traffic Manager:DNS-based global traffic routing.
• Routing Methods:
• Priority: Routes to primary endpoint unless unavailable.
• Performance: Routes to the lowest latency endpoint.
• Geographic: Routes based on user location.
 8
Azure Bastion

 Azure Bastion provides secure and seamless Remote Desktop Protocol (RDP) and Secure
Shell (SSH) access to virtual machines (VMs) hosted in Azure. The service eliminates the
need to expose your VMs to the public internet, enhancing security while simplifying
management.
 Uses a secure, fully encrypted HTTPS session.
 Eliminates the need to assign public IP addresses to VMs.
 Allows you to connect to your VMs using only a web browser and the Azure Portal.
 Fully managed service that requires no additional infrastructure.
 Users log in to the Azure Portal and select a VM, The "Connect" option provides an option
to use Azure Bastion for RDP/SSH access. The session runs entirely within the Azure
environment via HTTPS.
Understand Security, Privacy,9
Compliance, and Trust

Oksana Dudnik | November 2020 | LifeGuide 9

 10

Azure Firewall

Azure Firewall is a managed, cloud-based, network security service that protects your
Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in
high availability and unrestricted cloud scalability.

Azure Firewall provides inbound protection for non-HTTP/S protocols. Examples of

non-HTTP/S protocols include: Remote Desktop Protocol (RDP), Secure Shell (SSH), and
File Transfer Protocol (FTP).

It also.provides outbound, network-level protection for all ports and protocols, and
application-level protection for outbound HTTP/S.
 11

Azure DDoS Protection

DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring DDoS
mitigation capacity to every Azure region. The Azure DDoS Protection service protects your
Azure applications by scrubbing traffic at the Azure network edge before it can impact your
service's availability. Within a few minutes of attack detection, you are notified using Azure
Monitor metrics.

Network Security Group (NSG)

NSGs operate at layers 3 & 4, and provide a list of allowed and denied communication to and
from network interfaces and subnets. NSGs are fully customizable, and give you the ability to
fully lock down network communication to and from your virtual machines. By using NSGs,
you can isolate applications between environments, tiers, and services.
 12

Authentication (Who are you?)

Authentication is the process of establishing the identity of a person or service looking to

access a resource. It involves the act of challenging a party for legitimate credentials and
provides the basis for creating a security principal for identity and access control use. It
establishes if they are who they say they are.

Authorization (What are you allowed to do?)

Authorization is the process of establishing what level of access an authenticated person or

service has. It specifies what data they're allowed to access and what they can do with it.
 13

•Azure Active Directory (Authentication, SSO, Application Management, B2B Identity

Services, Device Management)

•Azure AD is a cloud-based identity service. It has built in support for synchronizing with your
existing on-premises Active Directory or can be used stand-alone.
•This means that all your applications, whether on-premises, in the cloud (including Office 365), or
even mobile can share the same credentials. Administrators and developers can control access to
internal and external data and applications using centralized rules and policies configured in Azure
AD.

Authentication
•Single Sign-On (SSO)
•Application Management
•Business to Business (B2B) Identity Services
•Device Management
 14
What is Azure Active Directory and how it is used?

 Microsoft offers Azure active directory, a fully managed multi-tenant service that implements identity
and access capabilities for applications running in Azure as well as applications operating in the on-
premises environment. It is used for providing single sign-on and multi-factor authentication to help
users from protecting attacks.
 We have access 2 types of Azure resources:
 External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
 Internal resources, such as apps on your corporate network and intranet, along with any cloud apps
developed by your own organization. We must create a new tenant for your organization in your
Azure Active Directory.
 More details
 For more information about creating a tenant for your organization, see
Create a new tenant in Azure Active Directory.
 https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
 15

Azure Multi-Factor Authentication

Multi-factor authentication (MFA) provides additional security for your identities by requiring two or
more elements for full authentication.

These elements fall into three categories:

1.Something you know (e.g. password)

2.Something you possess (e.g. mobile app)
3.Something you are (e.g. fingerprint or face scan)
 16

•Azure Security Center

Security Center is a monitoring service that provides threat protection across all of your
services both in Azure, and on-premises.
Available in two tiers,
Free (limited to assessments and recommendations only);
Standard (full suite of security-related services including continuous monitoring, threat
detection and just-in-time access control)

Azure Security Center - Usage Scenarios

Incident Response (Detect, Assess, Diagnose)
•Implement Recommendations
 17

Key Vault
Azure Key Vault is a secret store: a centralized cloud service for storing application
secrets. Key Vault helps you control your applications' secrets by keeping them in a single
central location and providing secure access, permissions control, and access logging.

Microsoft Azure Information Protection (MSIP)

A cloud-based solution that helps organizations classify and optionally protect documents
and emails by applying labels. Analyze data flows, detect risky behavior, track access to
documents, prevent data leakage or misuse of confidential information.

Azure Advanced Threat Protection (Azure ATP)

A cloud-based security solution that identifies, detects, and helps you investigate
advanced threats, compromised identities, and malicious insider actions directed at your
organization. Azure ATP is capable of detecting known malicious attacks and techniques,
security issues, and risks against your network.
 18

 Azure Policies
Azure Policy is a service you can use to create, assign, and manage policies. These
policies apply and enforce rules that your resources need to follow. These policies can
enforce these rules when resources are created and can be evaluated against existing
resources to give visibility into compliance.

Initiatives
Initiatives work alongside policies in Azure Policy. An initiative definition is a set or group
of policy definitions to help track your compliance state for a larger goal.
 19

Role-Based Access Control

RBAC provides fine-grained access management for Azure resources, enabling you to grant users the
specific rights they need to perform their jobs. RBAC is considered a core service and is included with
all subscription levels at no cost.

Resource Locks
Resource locks are a setting that can be applied to any resource to block modification or deletion.
Resource locks can set to either Delete or Read-only. Delete will allow all operations against the
resource but block the ability to delete it. Read-only will only allow read activities to be performed
against it, blocking any modification or deletion of the resource. Resource locks can be applied to
subscriptions, resource groups, and to individual resources, and are inherited when applied at higher
levels.
 20

 Azure Monitor
Azure Monitor maximizes the availability and performance of your applications by delivering
a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud
and on-premises environments. It helps you understand how your applications are
performing and proactively identifies issues affecting them and the resources they depend
on.

Azure Service Health

Azure Service Health is a suite of experiences that provide personalized guidance and
support when issues with Azure services affect you. It can notify you, help you understand
the impact of issues, and keep you updated as the issue is resolved. Azure Service Health
can also help you prepare for planned maintenance and changes that could affect the
availability of your resources.
 21
 General Data Protection Regulation (GDPR)
As of May 25, 2018, a European privacy law — GDPR — is in effect. GDPR imposes new rules on
companies, government agencies, non-profits, and other organizations that offer goods and
services to people in the European Union (EU), or that collect and analyze data tied to EU
residents. The GDPR applies no matter where you are located.

ISO/IEC 27018
Microsoft is the first cloud provider to have adopted the ISO/IEC 27018 code of practice,
covering the processing of personal information by cloud service providers.

National Institute of Standards and Technology (NIST) Cybersecurity Framework

(CSF)
NIST CSF is a voluntary Framework that consists of standards, guidelines, and best practices to
manage cybersecurity-related risks. Microsoft cloud services have undergone independent,
third-party Federal Risk and Authorization Management Program (FedRAMP) Moderate and High
Baseline audits, and are certified according to the FedRAMP standards. Additionally, through a
validated assessment performed by the Health Information Trust Alliance (HITRUST), a leading
security and privacy standards development and accreditation organization, Office 365 is
certified to the objectives specified in the NIST CSF.
 22

Microsoft Privacy Statement

The Microsoft privacy statement explains what personal data Microsoft processes, how
Microsoft processes it, and for what purposes.

Trust Center
Trust Center is a website resource containing information and details about how Microsoft
implements and supports security, privacy, compliance, and transparency in all Microsoft cloud
products and services. The Trust Center is an important part of the Microsoft Trusted Cloud
Initiative, and provides support and resources for the legal and compliance community.

Service Trust Portal

The Service Trust Portal (STP) hosts the Compliance Manager service, and is the Microsoft public
site for publishing audit reports and other compliance-related information relevant to
Microsoft’s cloud services.
 23

Compliance Manager
Compliance Manager is a workflow-based risk assessment dashboard within the Trust Portal that
enables you to track, assign, and verify your organization's regulatory compliance activities
related to Microsoft professional services and Microsoft cloud services such as Office 365,
Dynamics 365, and Azure.

Azure Government Services

Azure Government is a cloud environment specifically built to meet compliance and security
requirements for US government. Physically separated instance of Microsoft Azure, specifically for
U.S. Government, meets complex compliance standards, designed to exceed U.S. Government
requirements.
Pricing model of Microsoft 24
Azure

Oksana Dudnik | November 2020 | LifeGuide 24

 25

•Azure Account
An Azure account is tied to a specific identity and holds information like: Name, email, and
contact preferences; Billing information such as a credit card. An Azure account is what you
use to sign into the Azure website and administer or deploy services. Every Azure account is
associated with one or more subscriptions.

Azure Free Account

Subset of Azure services free for 12 months (750 VM hours, 5GB Storage, 250GB SQL DB, etc)
•$200 USD free credit (170 euro) to explore any Azure service for 30 days
•25+ services always free
 26

•Azure Subscription
An Azure subscription is a logical container used to provision resources in Microsoft Azure. It holds
the details of all your resources like virtual machines, databases, etc.

Azure Subscription - Use and Options

Azure offers free and paid subscription options to suit different needs and requirements. The most
commonly used subscriptions are:
Free: An Azure free subscription includes a $200 credit to spend on any service for the first 30
days, free access to the most popular Azure products for 12 months, and access to more than 25
products that are always free.
•Pay-As-You-Go: A Pay-As-You-Go (PAYG) subscription charges you monthly for the services you
used in that billing period. This subscription type is appropriate for a wide range of users, from
individuals to small businesses, and many large organizations as well.
 27

• Enterprise Agreement: An Enterprise Agreement (EA) provides flexibility to buy cloud

services and software licenses under one agreement, with discounts for new licenses and
Software Assurance. It's targeted at enterprise-scale organizations.
• Student: An Azure for Students subscription includes $100 in Azure credits to be used within
the first 12 months plus select free services without requiring a credit card at sign-up. You
must verify your student status through your organizational email address.
• Every Azure Subscription Includes Free access to billing and subscription support
• Azure products and services documentation
• Online self-help documentation
• Community support forums
 State the difference pricing model of Microsoft Azure 28

Here, are different pricing model of Microsoft Azure:

 BYOL Model: It brings your license model. It is just right to access model. You can obtain it outside of the Azure Marketplace.
This model is not charged any fees.
 Free Software Trial: It is a full-featured version which is promotionally free for a limited period of time. However, for excessive
use, you need to pay fees.
 Usage-based: This is a widely used model of Microsoft Azure. Here, user are changed for only that service which is used by
them.
 Monthly fee: Here, you need to pay a fixed monthly payment for a subscription.

Microsoft offers multiple ways by which one can buy Azure subscriptions. On a high level
there are three channels
 Enterprise agreement – For medium to large enterprises looking at making a pre-commit on the amount of Azure resource
consumption. This is typically a Pre-Paid annual payment.
 Open License Program – For small and medium organizations who would choose to use a Pay-As-You-Go model. Credits can
be added through activation of open license key bought from Microsoft resellers. Also available through web direct options,
purchased through Microsoft websites.
 Microsoft Partners – For small and medium organizations who would choose to use a post-paid Pay-As-You-Go model. This is
available through Cloud Solutions Providers – CSP Partners.
 What is Azure Subscription? 29

 As the name suggests, a subscription refers to the logical entity that provides entitlement to
deploy and consume Azure resources. Imagine Azure subscriptions to be like a pre-paid SIM
activation with or without credit. Depending on the type, these can be free subscriptions,
Pay-As-You-Go (Post-Paid) subscription or a pre-paid credit carrying subscription.
 A subscription fuels the Azure resources in a customer tenant. Everything will suspend or
halt if the subscription carries zero credit unless the subscription is a post-paid pay-as-you-
go subscription

 Multiple subscriptions can exist within the same customer tenant. Each subscription can
independently fuel different set of resources within the same customer tenant. Subscriptions
can come from different purchase channels and can co-exist independent of each other.
30
31
 32

•Purchasing Options for Azure Products and Services Enterprise: Enterprise customers sign an
Enterprise Agreement (EA) with Azure that commits them to spend a negotiated amount on Azure
services, which they typically pay annually. Enterprise customers also have access to customized
Azure pricing.
•Web direct: Direct Web customers pay general public prices for Azure resources, and their monthly
billing and payments occur through the Azure website.
•Cloud Solution Provider: Cloud Solution Provider (CSP) typically are Microsoft partner companies
that a customer hires to build solutions on top of Azure. Payment and billing for Azure usage occur
through the customer's CSP.
•Factors Affecting Costs Resource Type: Costs are resource-specific, so the usage that a meter
tracks and the number of meters associated with a resource depend on the resource type.
•)
 33

• Service: Azure usage rates and billing periods can differ between Enterprise, Web Direct, and Cloud
Solution Provider (CSP) customers. Some subscription types also include usage allowances, which
affect costs.
• Location: Azure has datacenters all over the world. Usage costs vary between locations that offer
particular Azure products, services, and resources based on popularity, demand, and local
infrastructure costs.
• Zones
A Zone is a geographical grouping of Azure Regions for billing purposes. The following zones exist and
include the listed countries (regions) listed.
Zone 1 (United States, Europe, Canada, UK, France)
• Zone 2 (Asia Pacific, Japan, Australia, India, Korea)
• Zone 3 (Brazil)
• DE Zone 1 (Germany
 34

•Pricing Calculator
The Azure pricing calculator is a free web-based tool that allows you to input Azure services and modify
properties and options of the services. It outputs the costs per service and total cost for the full
estimate.

Total Cost of Ownership (TCO) Calculator

If you are starting to migrate to the cloud, a useful tool you can use to predict your cost savings is the
Total Cost of Ownership (TCO) calculator. TCO helps you estimate cost savings realized by migrating to
Azure.

Best Practices for Minimizing Azure Costs Spending Limits: Spending limit in Azure exists to
prevent spending over your credit amount. All new customers who sign up for the trial or offers that
includes credits over multiple months have the spending limit turned on by default. The spending limit
is $0. It can’t be changed. The spending limit isn’t available for subscription types such as Pay-As-You-
Go subscriptions and commitment plans.
 35

• Quotas: Microsoft Azure Limits

• Tags: You can use tags to group your billing data. For example, if you're running multiple VMs for different
organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime
environment, such as the billing usage for VMs running in the production environment. When exporting billing
data or accessing it through billing APIs, tags are included in that data and can be used to further slice your
data from a cost perspective.
• Reserved Instances
: Reserved instances are purchased in one-year or three-year terms, with payment required for the full term up
front. After it's purchased, Microsoft matches up the reservation to running instances and decrements the
hours from your reservation. Reservations can be purchased through the Azure portal. And because reserved
instances are a compute discount, they are available for both Windows and Linux VMs.
• Azure Cost Management
Azure Cost Management is another free, built-in Azure tool that can be used to gain greater insights into where
your cloud money is going. You can see historical breakdowns of what services you are spending your money
on and how it is tracking against budgets that you have set. You can set budgets, schedule reports, and
analyze your cost areas.
36
37
 38

Private Preview
This means that an Azure feature is available to * specific* Azure customers for evaluation purposes.
This is typically by invite only and issued directly by the product team responsible for the feature or
service.

Public Preview
This means that an Azure feature is available to all Azure customers for evaluation purposes. These
previews can be turned on through the preview features page as detailed below.
 39

 How to Access Preview Features

You can activate specific preview features through the preview features page
(https://azure.microsoft.com/en-gb/services/preview/). This page lists the preview features that are
available for evaluation. To preview a feature, select the Try it button for the relevant feature.
Another preview area you can try is the next version of the Azure portal. Use the URL
https://preview.portal.azure.com

General Availability (GA)

Once a feature has been evaluated and tested successfully, it might be released to customers as
part of Azure's default product set. This release is referred to as General Availability (GA).

Monitor Feature Updates

The Azure portal "What's New" link on the ? help menu provides a list of recent updates you can
periodically check to see what's changed in Azure. Alternatively, you can use the Azure Updates
page (https://azure.microsoft.com/updates/).