Networking trends such as SDWAN (Software-Defined Wide Area Network) can improve performance by using path selection polices at the branch offices to send Internet-bound traffic directly to the cloud eliminating the backhaul to select breakout points. This traffic can quickly reach Microsoft’s global backbone network with intelligent routing to provide the best network experience. However, having all branches directly accessing the Internet introduces new challenges such as managing branch connectivity and uniformly enforcing network and security polices at scale. Further complicating network policy management across all the branch offices is the trend of more employees working remotely with ever stricter security, privacy, and compliance requirements polices that vary by country/region.
Network security plays an important role in protecting users, data and applications. Cloud developers and IT teams struggle to stay ahead of security attacks. Cloud native network security solutions better fit the modern dev ops model of building and deploying applications while taking advantage of the economic and scale benefits of the cloud. Customers need turnkey solutions that are easy to deploy, use, and manage that offer high availability and automatically scale.
To help customers with these massive modernization efforts, we are announcing Azure Virtual WAN to simplify large-scale branch connectivity, and Azure Firewall to enforce your network security polices while taking advantage of the scale and simplicity provided by the cloud.
The new Azure Virtual WAN service provides optimized, automated and global scale branch connectivity. Virtual WAN brings the ability to seamlessly connect your branches to Azure with SDWAN & VPN devices (i.e. Customer Premises Equipment or CPE) with built in ease of use and automated connectivity and configuration management.
Network security plays an important role in protecting users, data and applications. Cloud developers and IT teams struggle to stay ahead of security attacks. Cloud native network security solutions better fit the modern dev ops model of building and deploying applications while taking advantage of the economic and scale benefits of the cloud. Customers need turnkey solutions that are easy to deploy, use, and manage that offer high availability and automatically scale.
To help customers with these massive modernization efforts, we are announcing Azure Virtual WAN to simplify large-scale branch connectivity, and Azure Firewall to enforce your network security polices while taking advantage of the scale and simplicity provided by the cloud.
Azure Virtual WAN
The new Azure Virtual WAN service provides optimized, automated and global scale branch connectivity. Virtual WAN brings the ability to seamlessly connect your branches to Azure with SDWAN & VPN devices (i.e. Customer Premises Equipment or CPE) with built in ease of use and automated connectivity and configuration management.
Figure 1: Connect SDWAN and VPN devices to Hubs that comprise an Azure Virtual WAN
Virtual WAN provides a better networking experience by taking advantage of Microsoft’s global network. Traffic from your branches enters Microsoft’s network at the Microsoft edge site closest to a given branch office. We have over 130 edge sites or Points of Presence (PoPs). Once your traffic is in the Microsoft global network, it terminates in a virtual hub. An Azure Virtual WAN is composed of multiple virtual hubs. You can create your hubs in different Azure regions. Azure has more global regions than any other public cloud provider bringing your virtual hubs close to your branches around the world.
Here is a simple example with a virtual hub in West Europe (Netherlands) and another in North Europe (Ireland). These two hubs are part of a customer’s Azure Virtual WAN. Branch offices connect to the closest virtual hub for the very best performance.
We are launching Azure Virtual WAN Preview with Citrix and Riverbed providing a fully automated branch connectivity experience. Our continued commitment to customers is to create more options with a new and fast-growing SDWAN and VPN partner ecosystem. Solutions from additional partners such as Checkpoint, Nokia Nuage, Palo Alto and Silverpeak will be available in the coming months. I encourage you to join the preview and provide feedback on both service functionality, performance as well as ecosystem and partners.
We have been working closely with customers dealing with the challenges of branch connectivity at a global scale.
Public preview capabilities
◈ Virtual WAN and virtual hubs: You can create a virtual WAN and then deploy virtual hubs in any Azure public region. This allows your hubs to be close to your branch offices. The hubs are where network traffic initially terminates before heading to another branch office or an Azure Virtual Network (VNet).
◈ Connectivity automation: It is difficult to manually establish and manage a large number of VPN tunnels. Azure Virtual WAN brings together your preferred CPE be it SD-WAN controller or VPN device to automate the branch provisioning, configuration management and connectivity setup enabling you to easily deploy and manage your Virtual WAN.
◈ Automated VNet configuration: The automated VNet configuration allows you to easily connect your VNet to your hub so users in a branch office can access their Azure resources.
◈ Troubleshooting and monitoring: The platform monitors your on-premises connections providing a unified experience to manage your Virtual WAN along with your Azure resources.
Azure Firewall
The new Azure Firewall service offers fully stateful native firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically. Customers can create and enforce connectivity policies using application and network level filtering rules. Connectivity policies can be enforced across multiple subscriptions and virtual networks. The Azure Firewall service is fully integrated with the Azure platform, portal UI and services.
Public preview capabilities
◈ Outbound FQDN filtering: Keep data within your infrastructure and prevent outbound Internet traffic and data exfiltration by limiting outbound HTTP/S traffic to a customer specified list of Fully Qualified Domain Names (FQDN).
◈ Network traffic filtering rules: Gain visibility and increase control across multiple subscriptions by centrally creating, enforcing and managing your stateful filtering rules by source and destination address, port and protocol.
◈ Outbound SNAT support: Enable outside communication from other security devices and appliances using Source Network Address Translation (SNAT). SNAT support provides address translation between your VNet and Public IP, while easily integrating with existing security perimeter and sharing of policies.
◈ Azure Monitor logging: All events are integrated with Azure Monitor, giving you a single shared interface for your logging and analytics needs. The integration secures logging of all blocked/accepted incidents and further allows you to both archive logs to an Azure storage account, stream events to your Event Hub, or send them to Log Analytics for additional insights.
Azure Firewall – A perfect fit with your existing security
Azure Firewall has been built to enhance and strengthen your current Azure security posture, seamlessly complimenting existing Azure security services.
◈ Network Security Group (NSG) and Azure Firewall are complementary, and together provide better defense and in-depth network security. NSGs provides distributed network layer traffic filtering to limit traffic to resources within virtual networks. Azure Firewall is a fully stateful centralized network firewall as-a-service, providing network and application level protection across virtual networks.
◈ Application Gateway WAF provides centralized inbound protection for web applications (L7). Azure Firewall provides outbound network level protection(L3-L4) for all ports and protocols and application level protection (L7) for outbound HTTP/S.
◈ Azure DDoS Protection leverages the scale and elasticity of Microsoft’s global network to bring massive DDoS mitigation capacity in every Azure region. Microsoft’s DDoS Protection service protects your Azure applications by scrubbing traffic at the Azure network edge before it can impact your service's availability.
◈ Service Endpoints: For secure access to PaaS services, we recommend Service Endpoints that extend your virtual network private address space and the identity of your VNet to the Azure service. Azure Firewall customers can choose to enable service endpoints in the Azure Firewall subnet and disable it on the connected spoke VNETs therefore benefitting from both features – service endpoint security and central logging for all traffic.
◈ Network Virtual Appliances: Customers can have a mix of 3rd party NVAs and Azure Firewalls. We are working with our partners on multiple better together scenarios.
With the addition of Virtual WAN and Firewall to our broad portfolio of network services, we are again expanding what is possible with Azure. They both provide a strong testament to our goal of integrating broadly with the platform and your infrastructure, while at the same time being simple and easy to deploy and use.
Posts
0 comments:
Post a Comment