6 min read
Networking trends such as SDWAN (Software-Defined Wide Area Network) can improve performance by using path selection polices at the branch offices to send Internet-bound traffic directly to the cloud eliminating the backhaul to select breakout points. This traffic can quickly reach Microsoft’s global backbone network with intelligent routing to provide the best network experience. However, having all branches directly accessing the Internet introduces new challenges such as managing branch connectivity and uniformly enforcing network and security polices at scale. Further complicating network policy management across all the branch offices is the trend of more employees working remotely with ever stricter security, privacy, and compliance requirements polices that vary by country/region.
Network security plays an important role in protecting users, data and applications. Cloud developers and IT teams struggle to stay ahead of security attacks. Cloud native network security solutions better fit the modern dev ops model of building and deploying applications while taking advantage of the economic and scale benefits of the cloud. Customers need turnkey solutions that are easy to deploy, use, and manage that offer high availability and automatically scale.
To help customers with these massive modernization efforts, we are announcing Azure Virtual WAN to simplify large-scale branch connectivity, and Azure Firewall to enforce your network security polices while taking advantage of the scale and simplicity provided by the cloud.
Azure Virtual WAN
The new Azure Virtual WAN service provides optimized, automated and global scale branch connectivity. Virtual WAN brings the ability to seamlessly connect your branches to Azure with SDWAN & VPN devices (i.e. Customer Premises Equipment or CPE) with built in ease of use and automated connectivity and configuration management.
Figure 1: Connect SDWAN and VPN devices to Hubs that comprise an Azure Virtual WAN
Virtual WAN provides a better networking experience by taking advantage of Microsoft’s global network. Traffic from your branches enters Microsoft’s network at the Microsoft edge site closest to a given branch office. We have over 130 edge sites or Points of Presence (PoPs). Once your traffic is in the Microsoft global network, it terminates in a virtual hub. An Azure Virtual WAN is composed of multiple virtual hubs. You can create your hubs in different Azure regions. Azure has more global regions than any other public cloud provider bringing your virtual hubs close to your branches around the world.
Here is a simple example with a virtual hub in West Europe (Netherlands) and another in North Europe (Ireland). These two hubs are part of a customer’s Azure Virtual WAN. Branch offices connect to the closest virtual hub for the very best performance.
We are launching Azure Virtual WAN Preview with Citrix and Riverbed providing a fully automated branch connectivity experience. Our continued commitment to customers is to create more options with a new and fast-growing SDWAN and VPN partner ecosystem. Solutions from additional partners such as Barracuda, Checkpoint, Nokia Nuage, Palo Alto, Versa Networks and Silverpeak will be available in the coming months. I encourage you to join the preview and provide feedback on both service functionality, performance as well as ecosystem and partners.
We have been working closely with customers dealing with the challenges of branch connectivity at a global scale. Here is a perspective from Sword Group:
“As a multi-national company, Sword needs to connect all around the world and provide interconnectivity. With Riverbed’s SteelConnect and Microsoft’s Azure Virtual WAN, we are able to deploy locations in minutes easily in a few steps, control the access, and remove complex and expensive scenarios – all while providing cloud workloads close to the users. This capability will allow Sword to engage in new markets with great speed and agility.”
Guillaume Mottard, COO, Sword Group, Switzerland
Public preview capabilities
- Virtual WAN and virtual hubs: You can create a virtual WAN and then deploy virtual hubs in any Azure public region. This allows your hubs to be close to your branch offices. The hubs are where network traffic initially terminates before heading to another branch office or an Azure Virtual Network (VNet).
- Connectivity automation: It is difficult to manually establish and manage a large number of VPN tunnels. Azure Virtual WAN brings together your preferred CPE be it SD-WAN controller or VPN device to automate the branch provisioning, configuration management and connectivity setup enabling you to easily deploy and manage your Virtual WAN.
- Automated VNet configuration: The automated VNet configuration allows you to easily connect your VNet to your hub so users in a branch office can access their Azure resources.
- Troubleshooting and monitoring: The platform monitors your on-premises connections providing a unified experience to manage your Virtual WAN along with your Azure resources.
For details on enrolling in the public preview, please visit Azure Virtual WAN.
The new Azure Firewall service offers fully stateful native firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically. Customers can create and enforce connectivity policies using application and network level filtering rules. Connectivity policies can be enforced across multiple subscriptions and virtual networks. The Azure Firewall service is fully integrated with the Azure platform, portal UI and services.
“As a bank in a regulated context, we need to master all aspects of security in public cloud, including network and application level perimeter security for data exfiltration prevention. Having another solution in Azure completing the existing ones (like NSG, UDR), will allow outgoing flow filtering at L7, significantly increasing our security. Simple to setup, easy to check logs, and an interesting roadmap, Azure Firewall is very promising!”
Victor Martins, IT Architect, Societe Generale
Public preview capabilities
- Outbound FQDN filtering: Keep data within your infrastructure and prevent outbound Internet traffic and data exfiltration by limiting outbound HTTP/S traffic to a customer specified list of Fully Qualified Domain Names (FQDN).
- Network traffic filtering rules: Gain visibility and increase control across multiple subscriptions by centrally creating, enforcing and managing your stateful filtering rules by source and destination address, port and protocol.
- Outbound SNAT support: Enable outside communication from other security devices and appliances using Source Network Address Translation (SNAT). SNAT support provides address translation between your VNet and Public IP, while easily integrating with existing security perimeter and sharing of policies.
- Azure Monitor logging: All events are integrated with Azure Monitor, giving you a single shared interface for your logging and analytics needs. The integration secures logging of all blocked/accepted incidents and further allows you to both archive logs to an Azure storage account, stream events to your Event Hub, or send them to Log Analytics for additional insights.
Azure Firewall – A perfect fit with your existing security
Azure Firewall has been built to enhance and strengthen your current Azure security posture, seamlessly complimenting existing Azure security services.
- Network Security Group (NSG) and Azure Firewall are complementary, and together provide better defense and in-depth network security. NSGs provides distributed network layer traffic filtering to limit traffic to resources within virtual networks. Azure Firewall is a fully stateful centralized network firewall as-a-service, providing network and application level protection across virtual networks.
- Application Gateway WAF provides centralized inbound protection for web applications (L7). Azure Firewall provides outbound network level protection(L3-L4) for all ports and protocols and application level protection (L7) for outbound HTTP/S.
- Azure DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring massive DDoS mitigation capacity in every Azure region. Microsoft’s DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service’s availability.
- Service Endpoints: For secure access to PaaS services, we recommend Service Endpoints that extend your virtual network private address space and the identity of your VNet to the Azure service. Azure Firewall customers can choose to enable service endpoints in the Azure Firewall subnet and disable it on the connected spoke VNETs therefore benefitting from both features – service endpoint security and central logging for all traffic.
- Network Virtual Appliances: Customers can have a mix of 3rd party NVAs and Azure Firewalls. We are working with our partners on multiple better together scenarios.
More details are in the Azure Firewall product page.
With the addition of Virtual WAN and Firewall to our broad portfolio of network services, we are again expanding what is possible with Azure. They both provide a strong testament to our goal of integrating broadly with the platform and your infrastructure, while at the same time being simple and easy to deploy and use.
Our mission in Azure Networking is to help you build a secure, high-performant, and reliable global network in the cloud for your mission critical services. We will continue to provide more complete network services. We are interested in your feedback on our new Virtual WAN and Firewall offerings which you can use today. We are also interested in your feedback on our growing catalog of easy to use and fully integrated Azure Networking services. Please stay tuned as we prepare for even more announcements in the next few months.
Upcoming webinar and additional resources
I will be hosting a webinar on July 18, 2018 talking about and demoing the new Azure Virtual WAN and Azure Firewall. You will also hear from our partners and customers about these new services.