Networking & hybrid connectivity in Azure & beyond with CDN, Front Door & more (Microsoft Ignite)

Networking & hybrid connectivity in Azure & beyond with CDN, Front Door & more (Microsoft Ignite)


(upbeat electronic music) (audience applauding) – Welcome to Microsoft Mechanics Live! (audience applauding) Woo, coming up we look
at the recent updates to networking in Azure with
the team’s engineer and leader, Yousef Khalidi, to highlight
the areas of innovation including leveraging
Azure’s network backbone toward manual one, new architectures for testing
your network topologies, site acceleration,
scaling out web workloads and load balancing, for content delivery with
Azure CDN and Front Door and securing workloads at the edge and across regions using
Azure Web Application Firewall and DDoS protection. So please join me in welcoming the CVP of Networking in
Azure, Yousef Khalidi. (audience applauding) – Thank you for having me on the show. – It’s great to have
you, thank you so much. So the network’s really the
key gateway to cloud services and getting your infrastructure apps and ultimately your users,
to connect to your resources. How do you think of
the role of the network in today’s distributed architectures? – You know, nothing really matters if you cannot connect to the cloud. The quality of the connection
in terms of latency, jitter and bandwidth is very important. This always has been the case. You basically can’t have a
cloud with out the network. We design, build and operate one of the biggest wide area networks on the face of the earth. You can see some of the numbers here. We connect our 54 regions. We have more than 106
edge site and increasing. I will say more about those in a second. We peer with so many ISPs out there that we have around 20,000
peering connections. And if you want to hear the punchline, every second on this WAN we process 30 billion packets per second. 30 billion packets per second on the WAN. And that’s not counting what
we do within every region. So net net we give you that
ability to connect to the cloud through multiple means, through huge scale and we cater both to private
and public connectivity to the cloud. – [Matt] And we’re continually
making things faster and innovating as we go forth. – All the time.
– Exactly, that’s right. – [Yousef] In attending
Ignite, you see it. – [Matt] Yeah, exactly, that’s
right and the Azure network is powering some of
the most demanding apps and services in the cloud. Can you tell us about
some of the recent updates and what we’re solving for with them? – Well, let’s start with latency. Latency is very important to
many of you and your customers. So when you access the cloud, even moving to cloud service in general, latency can be a huge inhibitor. The reason we have all these edge nodes is to make it much faster for you to get to your local regions. So we add these nodes in strategic locations around the globe. If you look at this map, we have them in the major metro areas. In the US we started with the NFL cities, then we grow. And we’re adding more
and more edge locations in Asia, Pacific, Africa,
Middle East and so forth. The edge nodes is the
way you get to Azure. The way you get to the
Azure backbone, the WAN, which gets you to your region
or regions around the globe. Now it’s not uncommon to see
a big jump in performance once we place an Azure
edge in a city somewhere. I can tell you there’s some
cases where latency improved by 2X to 10X by us putting an edge in a given city. Because we optimize the traffic and we get you to the fastest
region for your application. In terms of performance, our North Star, we want to be able to
get to 30 millisecond or 35 millisecond from any
customer to the closest edge and the closest region. Your mileage will vary, but 30 millisecond is
quite aggressive goal. And we’re getting there. – Yeah, we’re getting there indeed. And so just to make this real
I’m gonna quickly show you the difference here in a quick demo with three different connections. So this is a simulation
of the user experience downloading the same file
from three different services with caching turned off on all services. Now the one on the left
has been accelerated through Azure CDN and you
can see how much faster it is at returns versus the other two. In the middle it’s routing
through a competing CDN service and on the right we’re not
using any form of acceleration over the open internet. So this clearly demonstrates the native acceleration
capabilities of our network. Which incredibly impressive. So Yousef, can you help us
understand what we’ve done here to ensure that there’s
incredible app delivery and experience for amazing app performance within the Microsoft WAN? – As you know, CDNs cache content. They cache files, video,
web assets and so forth. We cache them on servers
on those edge locations I mentioned earlier. The system fetches the
data from the origins, from a region somewhere,
from storage, for example, and puts them on the edge. And then your device, your phone, your PC, then gets that content from
the very closest edge to you. For years we’ve had our own
internal CDN that all of us used if you’re using Windows Update or Xbox or the Marketplace, et cetera. Now we’ve added this CND also to our complete CDN offerings. So today we have three CDN systems: the Microsoft system, we have
partnerships with Verizon and we have partnerships with Akamai. And through that you end up with a big, huge, global coverage. Just look at the picture
you see on the screen at the moment. – Awesome. Now what are some of
the options that I have as an architect or
perhaps a developer then to leverage this Azure global network, to improve the performance
and connectivity? – If you think of
Microsoft’s global presence, we have services that allow
you to connect locally your users into Azure, and to benefit from our WAN. That’s always been our strategy. So if you connect to the
cloud through the internet another good option would
be to use a new service we announce today, which is
a Microsoft peering service. How this works is
basically we have partnered with many ISPs out there,
internet service providers, to have the best optimized connectivity between our edge locations
and their networks. It’s effectively a
business-class internet. And when you sign up for it
we give continuous monitoring of your connectivity. We give you reports and help
to remediate any problems or anomalies you might see. In the Azure portal you see telemetry and monitoring of your connections between your sites and Microsoft such as latency profile of any
given prefix of your network that we are monitoring using
a Microsoft peering service. Today we monitor over 20
million routes on the internet. With this service though,
we now give you the ability to see if any of your routes are being dropped by your ISP or worse, if somebody’s
trying to hijack your route. And moreover, we protect you from that. So if someone was able
to advertise a route away from your ISP we don’t obey it. Instead we continue serving your traffic and we tell you something has gone wrong. – OK, for those of us who’ve been in the network
architecture space for a while and have got a reliable,
high-performing network but want to make things run even better how can people do that? – Well, what we can do that
is with also the new service we just announced,
called Internet Analyzer. It helps you to assess the right approach for delivering content from the cloud. – OK, should we take a quick look? – Please.
– OK, yeah, we can take a look. So you can see I’ve got two
network topologies here, one in Azure in the top of the blade there and one in another cloud. Internet Analyzer basically lets me AB test delivery architectures before you port your services over. So it will give you a view
of where you’re coming from alongside where you’re going to. And this is a measure of
what the user experience is so you great some visibility
into that last mile connection as Yousef was talking about. So setting up a test is
actually really easy. So if I move over to the middle
here in the test area I simply give it a name. I want to obviously imbed
my client-side JavaScript in my app first to get
the measurements running but we provide a name, a
description for the test and then we can start to
configure the endpoint. And you’ll see here I’m gonna
click on this first endpoint A and configure it. And you can see you can
use both our pre-configured and there are custom
endpoint options as well if you’re testing. So I’m gonna give this one a name as Azure Single Region. The endpoint type is in this
case Azure Single Region. As you see, I could have
used custom there as well. The Azure Region in my case is west US and then I’m gonna use Front Door as well. Very quickly I have
configure the endpoints and I can start kicking off that testing. It’s all really, really straight-forward. But what’s happening
under the covers here? – Well, we’re actually
measuring performance. Your client is measuring
the performance of latency from your end user population to your selected network destination. And it does this by downloading one pixel image over HTTPS. Then this telemetry data is sent to Internet Analyzer in Azure. And ultimately provided
back to you to help you to understand the performance benefits of a multitude of network topologies and different paths to your application. We just announced this
thing in preview this week so please go give it a try. It’s really very easy to use. – Great, now networking, as
many people know, can be tricky, and sometimes you need to re-route traffic or maybe a connection just gets saturated. So what are we doing there to help with app delivery
and acceleration? – These are very common questions and needs, if you will. Of course we build a service for that too. It’s called Azure Front Door. It’s a service we’ve had
in Microsoft for a while and now it’s available to you as well. The service lets you
define and manage, monitor and optimize your web
traffic for performance and will ultimately failover if needed for high availability. So Front Door works at layer seven or HTTP layer basically
and uses any cast protocol to find the closest edge to
your customer if you want. And then it will optimize
the traffic from that edge to your origin in Azure. We do things like Split TCP so the connection is
terminated at the edge and we multiplex overcome
at TCP connections. We do also other optimization as well. – OK, so that’s gonna give
better performance for the app but what about the security side? What have we done there? – As I mentioned at the very beginning this performance and security
are really very important. So our goal in Azure network
security is basically to deploy defense in-depth. And we’ve built our
services on the concept effectively zero trust. Where you’re minimizing the
entities that trust each other and you want to have macro parameters, macro segmentation if you want, across highly distributed architectures. So, for example, we have
the Web App Firewall. It protects web pages, layer
seven, against common exploits. We’ve had this for a while
within the virtual network in the cloud. Now we recently launched
WAF also at the edge. So you can combine WAF
functions at the edge and WAF functions within
your virtual network as well. And as you probably know,
web apps are often targeted with attacks such as SQL
injection, cross-site scripting, layer seven DDoS, so we
built in these protections all the way, as I mentioned, from the edge to the application you have. And if you haven’t
configured this one lately again, it’s relatively easy to use, please try it. – And best of all, it’s
really easy to get going. – It’s really. – Should we take a look? Yeah, so we’ve got it on the screen here. So here we are in the
create a WAF policy blade within the Azure portal. And I’m just gonna give this
one some basic information. You see I’ve given it the name already. Choose some of the basic information, subscription, resource group, the usual stuff, very familiar. The next thing, go on
to the policy settings and firstly select whether
this is a prevention or detection WAF policy. And then I’m in to essentially configuring some of my rules. And in first case, I’m lookin’
at specific managed rules that are based on the core rule set from the Open Web Application
Security Project or OWASP. I’m sure that’s familiar to many of you. And these rules give a baseline to protect against common threats. And you can see I can make
some modifications if I want, so I’m blocking currently
but I can change that action to logging if I prefer. So make some customization. You can also see that
I’ve got bot protection in preview here too. So for additional managed rules, and I can also create custom rules to augment the existing managed rule sets. And in this case I’m gonna
create a simple geo-location rule that blocks traffic not
originating from the US. So I make a few changes
there, choose the US, and within a few clicks we’re done. Once that’s finished I
can associate these two, for instance Azure Front Door resources. So in this case I’ve
selected a Front Door demo and then the Front End host
and click add and I’m done. Look at the review, validate
the settings that I’ve made, make sure I’ve done it all correctly, and I can go ahead and click create. So really easy stuff, very, very powerful, but very, very straight-forward
at the same time. And this is where, again, the advantage of our global
network comes in to play. – Definitely. You need size. You need the ability to
handle a lot of bandwidth, because, frankly, when a
global DDoS attack happens you need a lot of capacity
to absorb the traffic and send it to the right place. So it’s the same
infrastructure we have built to support Microsoft services such as Xbox and Office 365 and now they are also available to you in our DDoS service. – Exactly. Incredible stuff. Now you’re protected, you
can check in regularly to set up alerts and see
what the bad guys are doing and there’s been a lot of news lately about running Azure services
on any infrastructure. Whether that’s in your
data center, at the edge, in IoT or in other clouds. This sounds like it’s fundamentally
enabled by the network. So what else are we doing to better support these
new hybrid topologies? – We have a new service, actually. So we’re building new user solutions that take one of our edge
devices where you can place it directly on the customer premises. And it’s combined with networking. We call it Multi-access Edge Compute. Some folks call them mobile edge compute. But basically, on top of that, we’ll add extended Azure functionality such as support for containers,
IoT and virtual machines beyond core networking, if you will. And we would provide extended capabilities for many, many locations with
centralized remote management and ability to develop
software from the cloud onto those boxes. The best part is they’ll
be able to all tap into very low latency 5G cellular technology such as private LTE or CBRS, if you’re familiar with
those technologies. So I like to think of the network really as the key to any hybrid configuration. So as we deliver more and more
against the promise of Azure, on any infrastructure, of course, you’d be thinking of
the best way to connect and keep everything secure. – [Matt] OK, so the big question, when will this be available? – We just announced a technical preview, which is happening as we speak. We’ll be opening it up more broadly in the next calendar year. – Excellent, awesome,
thank you so much, Yousef. And great highlights
across recent announcements for all the networking stuff in Azure. A lot of this is ready
to start using today. Just click on the plus
sign in the Azure portal to get started. Where can we learn more? – We have many opportunities
for you to know more. We will continue innovation at the edge, global scale and so forth, and if you would like to know more the link on the screen will
give you more information. I have a blog published
at this link and at Ignite we have more than a dozen sessions. They’re gonna be archived, available for you to view as well. – Excellent, yeah, make
sure you check out. Lots of valuable information
and check out the blog, as Yousef said. So thank you again so much for joining. – [Yousef] Thank you very much, thank you. – Thank you so much, it’s
been a pleasure to have you and keep watching Microsoft Mechanics for all the latest updates. Subscribe, thanks for watching. (upbeat electronic music) (audience applauding) (upbeat electronic music)

Leave a Reply

Your email address will not be published. Required fields are marked *