Moving your Perimeter Network into AzureOrin Thomas@[email protected]
DCI 306
Perimeter Network
Screened Subnet
Not exposed to Internet
Perimeter network Internal Network
Externalfirewall
Internalfirewall
Some exposureto Internet
Not exposed to Internet
Perimeter network Internal Network
Externalfirewall
Internalfirewall
Some exposureto Internet
This model isno longer relevant
This model isbroken
Workloads are increasingly virtualized.
This includes perimeter network workloads.
Assumes people “inside” the perimeter always have the
organisation’s best interests in mind
When servers were serversand virtualization was something
that happened on mainframes
Model worked in the 90’s
Assumes that computers and devices inside the perimeter have
not been compromised
Exposed to Internet
Not exposed to Internet
Perimeter network Internal Network
Externalfirewall
Internalfirewall
(Almost) assumes an “on prem” model of critical infrastructure
deployment
Also not relevant as more resources are being moved into
the cloud
Domain Isolation Policies
What was the goal of perimeter networks?
To host services that require exposure to the Internet and the
internal network
(Bastion Hosts)
Typical perimeter network workloads:• Proxy services
• Email gateway• Websites
• DNS• Remote access• Appliances
Hosts usually have public IP addresses
(unless NAT shenanigans)
Can’t virtualize everything (yet)
If you can’t virtualize it, you can’t move it to Azure
Significant savings in migrating workloads off perimeter network
into Azure
Not just about money:Simplify deploymentIncreased security
Increased availabilityEasy access to public IP address
Don’t have to migrate everything
to save money
First: Assess Perimeter Network Workloads
Easy to migrate
• Web sites / applications
• Email gateway• DNS
Difficult to migrate:
• Remote Access • Appliances• Proxy Servers
Azure as Perimeter Network
Some exposureto Internet
Not exposed to Internet
Azure Internal Network
Externalfirewall
Understanding Azure Public IP Addressing
Understanding Azure Endpoints
Understanding Host Level Firewalls
Understanding Azure Virtual Networks
Azure Point to Site VPN
Azure
Azure Site-to-Site VPN
Azure
Moving workloads to Azure
Virtualize Migrate
Azure
Manual Migration• Upload VHDs to Azure• Build workload in Azure and migrate
data
Automate Migration:Microsoft Migration Accelerator
for Azure
Can migrate the following to Azure:
• Physically deployed computers• VMware• Hyper-V• AWS
Automated migration:
• Automatically discover workloads from cloud
• Auto-provisioned target Azure VMs• Validate migrated workload in cloud
before cutover
Supports multi-tier applications
• Automatically migrate multi-tier production systems with application level consistency orchestrated across tiers
• Application startup order kept in place without requiring special configuration
Can discover Microsoft workloads
• Exchange• SQL Server• File Server• SharePoint• IIS
Use continuous replication to minimize cutover period
• MA for Azure supports full system replication including OS and application data
• Continuous replication and in-memory change tracking reduces cutover to minutes rather than hours
Migration Profiler
• Helps determine the size, activity and performance requirements of workloads
• Ensures correct Azure templates are being used prior to migration
• Monitors change rates, replication differential, asset health and more.
How it works
MA
Azure subscription
CS MT
PS
Workloads to migrate
MA
Azure subscription
CS MT
PS
Mobility Service agent installed on source servers.Performs real-time data capture and sync to target servers
Process Server (On Prem)
Azure subscription
MA
Server (physical or virtual). Manages communication Between agents and target VMs in Azure
Organizational Azure Subscription
MA
Azure subscription
CS MT
PS
Configuration Server (Azure VM)
MA
Azure subscription
CS MT
PS
Azure VM which manages communication between Master Target and Migration Accelerator (MA) Portal
Master Target(Azure VM)
MA
Azure subscription
CS MT
PS
Azure VM which hosts target for replicating disks of on-prem servers
MA Portal
MA
Azure subscription
CS MT
PS
Multitenant portal that can discover, configure protection,and migrate on-prem workloads to Azure
Migration Accelerator Support MatrixArea Limits
Operating Systems • Windows Server 2008 R2 SP1• Windows Server 2012• Windows Server 2012 R2
Platforms • Physical• VMware VM (ESX/ESXi/vSphere/vCenter 4.x or 5.x)• AWS• Hyper-V VM
OS Disk 127 GB
Data disks 16 disks, maximum 1 TB per data disk
Network Single VM NIC
Cluster No support for guest cluster (Azure has other HA options)
http://blogs.technet.com/b/srinathv/archive/2014/09/17/prerequisite-and-support-matrix-microsoft-migration-accelerator-for-azure.aspx
Deploying Migration Accelerator
1. Azure account2. Sign up for MA Preview3. Receive MA Portal URL, User ID & Password4. Install Configuration Server in Azure VM5. Install Master Target in Azure VM6. Install Process Server on-prem7. Register MA Account to Azure account8. Start on-prem resource discovery
• R
The Future• Virtual appliances designed for Hyper-V,
VMware, and AWS deployable to Azure• More roles supported in Azure
Related content
DCI 307 Getting Foxy with Azure IAAS
Track resources
Resource 1
Resource 2
Resource 3
Resource 4
Thanks! Don’t forget to complete your evaluations
aka.ms/mytechedmel