Yesterday, we made a number of Azure networking announcements to enable customers to build better hyper-scale and enterprise grade applications in public and hybrid cloud environments. ExpressRoute enhancements include new strategic partnerships, a Meet-Me location in Australia, multi-site ExpressRoute for better disaster recovery, multiple subscriptions sharing the same ExpressRoute circuit, and support for 4,000 routes. We are improving overall security with Network Security Groups for easier subnet isolation in multi-tier topologies, Site to Site Forced Tunneling which sends network traffic back to on-premises for policy validation to meet compliance requirements, and VPN support for Perfect Forward Secrecy (PFS). A new high-performance gateway, multiple virtual NICs in a VM, access to VPN operations logs, nested Traffic Manager policies and Azure load balancer source IP affinity demonstrate our commitment to continually enhance Azure networking capabilities. Customers can use these new capabilities today, starting in the North Europe region and subsequently all Azure regions in the coming weeks. Look for rollout updates here.
New ExpressRoute partnerships and ExpressRoute location
We continue to grow our global direct network connectivity ecosystem to enable enterprise customers to access Azure via ExpressRoute. New ExpressRoute partners are Colt Technology Services in Europe, Tata Communications in Asia, and Telstra in Australia. ExpressRoute is now generally available in Australia with a Meet-Me location in Sydney. From Sydney, customers can reach all Australian Azure regions.
ExpressRoute - Sharing connections across multiple subscriptions
Customers can share a single ExpressRoute circuit among Azure subscriptions. Circuit owners have the ability to authorize other Azure accounts to use the ExpressRoute circuit. The circuit owner can issue up to 10 circuit authorizations per circuit and each authorization can support up to 10 VNet links. This capability is available for all ExpressRoute circuits (existing and new) and with all service providers.
ExpressRoute – Multi-region connectivity for HA and DR connectivity
Each ExpressRoute circuit provisioned today has been configured in active-active configuration between Microsoft and the connectivity provider in order to avoid single a point of failure. VNets linked to these circuits have highly available gateway tenants. VNets can now be linked with up to 4 ExpressRoute circuits. All ExpressRoute circuits must be created within the same geo and can span multiple providers. This enables path diversity and the ability to build resilient connectivity. This service is enabled for all existing and new ExpressRoute circuits.
Network Security Group
Customers will now be able to control traffic to one or more virtual machine instances in a Vnet using inbound and outbound access control rules defined in a Network Security Group. The access control rules support the standard 5 tuple (Source IP, Source Port, Destination IP, Destination Port and Protocol) along with a priority to allow users to achieve fine grain control to network traffic. The Network Security Group can be applied to a subnet (within a virtual network) as well as to individual virtual machines thereby enabling a two layer protection. The rules within a network security group can be modified and updated independent of the virtual machine allowing the management of access control lists outside the life cycle of a virtual machine.
A common application for Network Security groups is to realize a demilitarized zone (DMZ) and have explicit access control across tiers in a multi-tiered application.
Customers can now, redirect or “force” all Internet-bound traffic from the cloud, back to their premises via a S2S VPN tunnel for inspection and auditing. This is a critical security and compliance requirement for many enterprise grade applications. Without Forced Tunneling, Internet-bound traffic from customer VMs in Azure will always go from Azure directly out to the Internet, without the ability to inspect or audit the traffic. Unauthorized Internet access can potentially lead to information disclosure or other security breach. With Forced Tunneling you now have control. The following diagram illustrates how forced tunneling works.
Virtual Machines with multiple NICs
Customers can now create and manage multiple virtual network interfaces (NICs) on a VM. This capability will enable designing network infrastructure with a greater degree of flexibility and control. As an example, you can designate one NIC as the frontend NIC, and the other as backend NIC and isolate traffic between them, as indicated in the figure below; or you can separate data plane traffic from the management plane. Multiple NICs in a VM is a fundamental requirement for many Network Virtual Appliances. At TechEd we will have demos with Citrix and Riverbed as we now start to build an NVA ecosystem that will include load balancers, WAN optimizers and network security appliances. Multiple NiCs is not supported on basic VM SKU’s. They are available on standard VM SKU’s.
To support more demanding hybrid connectivity throughput needs and a larger number of cross premise sites, we are announcing the availability of a high performance VNet gateway. This will enable faster ExpressRoute and S2S VPN gateways and also support more S2S tunnels. The tunnels are used to connect to other virtual networks or on-premises sites.
Advanced VNet Gateway policies
To improve performance we now allow Virtual Network to Virtual Network communication to occur without the overhead of encryption (No Encryption). Note that all VNet-to-VNet communication will stay on Microsoft’s core network and not traverse the Internet. More precisely customers can control encryption on the tunnel between VNets. Customers can choose between 3DES, AES128, AES256 and No Encryption (Null). Customers can also enable Perfect Forward Secrecy (PFS) for their IPsec/IKE gateways.
More validated VPN devices
Barracuda Networks and Palo Alto Networks have been added to the list of validated VPN devices.
Operations and audit logs for VNet Gateways and ExpressRoute
Customer can view operations logs for VNet Gateways and ExpressRoute circuits. The Azure portal will show operations logs and information on all API calls and important infrastructure changes made, such as scheduled updates to gateways.
Nested policies for Traffic Manager
Traffic Manager enables customers to distribute network traffic using traffic profiles to applications deployed across multiple Azure deployments worldwide. We recently announced support for weighted traffic distribution and endpoints external to Azure enabling a range of additional scenarios such as failover-to-cloud, burst-to-cloud and on-premises to cloud migration. Customers will now be able to use nested traffic profiles enabling creation of more flexible and powerful traffic distribution and failover schemes to meet the needs of larger and complex enterprise deployments.
Source IP Affinity
Azure Load Balancer now supports a new distribution mode called Source IP Affinity (also known as session affinity or client IP affinity). Customers can load balance traffic based on a 2-tuple (Source-IP, Destination-IP) or 3-tuple (Source-IP, Destination-IP and Protocol) distribution modes.