How Microsoft uses Azure ExpressRoute hybrid networking technology to help secure the enterprise

Show video

Hello. Everyone welcome, to today's webinar on how Microsoft, uses Asscher Express, route hybrid, networking, technology, to, help secure the enterprise my. Name is David laughs and I will be your host for today's session I am, a principal service engineer at Microsoft I've been with a company for about 20 years and my, primary area of focus is. Around enterprise, networking. Before. We get started I'd, like to let you know that you can submit questions into the question window of the on24 dashboard. And any time during the conversation, we, will collect them and discuss them during the Q&A session after, the presentation, in, case we run out of time and can't get to all your questions we. Will stay behind in our studio and post, them with the on-demand webinar, if, there's time at the end the experts will share some key takeaways. With. That I'll, let everyone take. A minute to introduce themselves Kelly, we'll start with you hi, there my name is Kelly Larkin and I've, been with Microsoft for 17 years, my, primary responsibility is. Running. Our hybrid, cloud networking. Environment, and leveraging Express route to do so I mean. Hey. Myself. Amit, Mahajan, and I'm. A senior service engineer and my, primary role and responsibility. Is to provide, cloud. Networking, and I'm. From, I'm. In Microsoft, from last 7 years. Thanks. Guys, let's. Go ahead and get started. Before. We really get going let. Me orient you to who, we are what, we do and why we do it so, we are IT folks so we are probably your peers and we're. Not the only IT organization. Side of Microsoft, so, there's an IT organization that, actually runs the online services, after, office. 365, we, really represent the internal. Workings of Microsoft, so we support our internal business processes, around, developing. An engineering, product research. Operations. Sales, and support and as, you can see we're. Still pretty large so, we support more than 130,000. Employees in more, than 500 locations, around the world more than a hundred countries we. See approximately. A little over 1 million devices touch our network on a daily base and, we gather a lot of security events.

We're. Also very aggressive, adopters. Of our own cloud technology, so, most, everyone's, mailbox, collaboration. In real time communication. Engineering. Processes, are in Azure DevOps. We. Were, almost entirely in the cloud at this point including about, 97%, of our IT line of business applications, are running in Microsoft Azure. We, also have made a lot of progress in moving to the cloud over the past few years so we've reduced about 90% of our physical service or about 10%, of the footprint that we've been historically, in the on-prem data centers and we've reduced the number of on-prem data centers we have from 11 around the world to 4 so we've made a lot of progress and with that I'll go ahead and hand it over to Kelly all, right thank you very much David so. I'm going to talk a little bit about the IT functional. Roles for Azure and specifically. If we can cut to the slide exactly. How Microsoft IT. Interoperates. With our line of business application. Our engineering workload teams and then how we leverage is here so. Really at the end of the day what we've transitioned to is is becoming, a cloud service provider in a sense and we use Azure as, our cloud. Capability. In order to create. These services, that we extend to our engineering teams and those, service consumers, really are those application. Engineering teams that, consume the services, that we provide in hosting, environments, and obviously they, are there to enable our business units which, are our, big functions internally, like HR, and Finance and so on and so, what, we provide in, this context, is really things. Like automation, self-service, provisioning. Guidance. And, even in a lot of cases consulting. In terms, of how these teams can leverage, a sure in the most effective way and then how they can implement using, our tools and maintain, their security posture by doing so. And. Then with, this next slide we, will talk about operationalizing. The cloud and how we've transitioned, from being a. Centralized. IT, department. In traditional sense and how we've evolved, over the years during. This cloud journey to, really speed, up our business line of business units and we, do that by D. Centralizing. A lot of our provision, capability, allowing teams to acquire their own subscriptions. Allowing. Them to move at their own pace in terms of how they want to deploy and we, enable, them by providing all. Of the tools resources. That are necessary in order for them to adhere. To corporate compliance, while. Speeding. Up delivery, in many cases of their, applications, to those business units and we, do that by providing a lot of standards and, things. Like policy, and auditing we, leverage tags we, give guidance on the best way, to do role based access controls, and we. Also, employ. Things like resource locks for, when we have configuration. In their subscriptions, that, we, want to maintain and, then we also provide automation. In many cases, that teams can leverage to help automate their environments, and then, bi and analytics in, the cases where we want to expose to them how. Well they're are managing, their resources, and how well they're adhering to those corporate, policies. All. Right and then this, next slide is really talking about what is the scenario, for expresstoll, why does it make sense for Microsoft. IT to leverage, that technology we. Had a lot of applications, that needed to lift and shift and move, from the on-premise, data centers into, our. Agile. Environment. And we needed a way to seamlessly allow, them to migrate while still being able to connect, to critical, resources. That are still, on our corporate, network and, so, Express route was a really great choice for us it provided, high speed connectivity into, Azure in a private, way to allow those applications, to migrate and other, applications, that needed a public connectivity, were also free to do so and this, allowed, us to be able to offer multiple.

Ways For teams, to be able to migrate those applications, seamlessly, in a way that would allow them to connect, back, to the corporate network but we also wanted to ensure, that we, maintained. Or if even possible, increase our security, posture by. Migrating, to the cloud and this migration gave us the opportunity to do so as sure has a lot of great. Capabilities. And things. That you can employ that can really help implement. Things like segmentation. Which we'll get to here in just a moment that really can and you. Know enhance. Your security, posture as you migrate to the cloud and one, of the things we'll be talking about in that segmentation, is how we create its specific. Purpose-built, zones, that. Allowed us to host, specific. Types of application. Components, in our environment, securely. And. And, in many cases improving, our security posture as, we've done so and then, the great thing about this is that we leverage the power of Software, Defined Networking, and Azure which. As you'll see is very powerful, the. Component, that you can leverage in your own environment, for your needs specifically. And. With that I'm gonna go ahead and turn this over to Amit, and he's going to talk about how. We actually. You. Know provision, procure, and implement our isolation technology, thanks, Kelly sir to actually introduce that let's actually talk about the Xpress out you, know the slide which we actually having it to setting up this webinar right I think. Everybody. Knows about Ezra are actually providing a multiple. Express. Route multiple. Hybrid connectivity, side which is like. Two. Of them is from, the VPN side which is point-to-point and side to side the. In, this webinar we are going to discuss about the Express route. Yms. IT or Microsoft, ID sorry actually using this. Express. Route to. Actually to. Actually do, the fast moving, and fast traffic, migrations, right from from, on promises, to cloud so. In this micro. In this Express, route design what, we actually leveraged ID which which, is a direct private connectivity. Between on promises and data and and. The data center to the cloud it actually provide low. Latency, connections to. Measure, regions. From on, premises and and. We, can actually have, a massive, data transfer, from, between. These, two environments so. In. The, Microsoft, IT has, been working on an express ordered option from last five to six years and over, the this. Period of time we, involved from individual, isolated separate, physical. And logical. Circuits. To a shared, model which you are going to see in this particular cell well we're Microsoft.

Extended, On. On-premises. Data center to CPE. Which is customer provided, equipment, and and. There, the service provider established, a BGP. Pairing. Right. Connections. To MSC II which. Is which. Is Microsoft, Enterprise edge. After. This right what we actually doing is we actually put our, service provider subscription. Right where all the circuits, are going to be there and then, all, the customers, v-net, is going to be linked to these particular circuits, so. But, there is a feature this is a security, feature right where where, we can actually control all the all, the authorizations. On the providers subscription, so that this, is going to be like, like, and know like, authorized. People are going to be get. The connectivity, back to the on-premises, so if this is a control, point right from us to, control all the circuits, model right and and only. Authorized the Venus which need to be access to the MS. ID on promises, so. And this. This particular central, IT actually. Own the provider subscription. For provisioning, of circuits, this. Is like I said this is a control, mechanism of. Of, internal. Data center manageability. So. In, the, next slide which. Is which, we are we actually showing about, the. Service. Provider. Subscription. Provider model. This. Is another view of Express, route which showing how the management, becomes, simpler, and reduce or reduce. Overhead, of IT operations, we. Use the resource groups to. Map circuits. To the right region. This, way idea, you know, you. Don't need to be actually worried about like which circuit has a which regions associated and all, all circuits, are being going, to the particular, region itself, this, will actually give us a more, additional. Arbor controls, where, we can provide access control, at individual, resource level so, this is another. Another. Are back control we actually putting for for, manageability, point of view this, actually is. Our operational. Things, as but, so. Would, you would, you characterize, the combination, of using Express route direct and global reach as a way to get into Asia, and in a very consistent way from a shared, infrastructure perspective but then give you the flexibility, to allow customers to connect on demand yes yes, this this is this is definitely is a very flexible, way to I should do it in the because, I said, like we in the past right from 5 to 6 years I do is been adopting, the Express route we're, learning a lot right and we going through the pace of Asia as well so, we learned a lot and we actually figure, out right how we actually entertain, and how, we reduce the manageability because, with the single point of one-to-one mapping right and actually create a lot, of routes lot of increase. Of you. Know circuit, manageability it itself so this way right we have a less circuits right and but you you can manage all the peanuts, in the ones one. In. The one sir one circuit itself there. Is a limit, where. There is a limit in which we can actually specify it on, like. A 10. 10 minute limits we have it per circuit but, it can be increased and it depends on the edge speed. Port as well. If. You have an a 10 gig which we actually normally use in my, joseph ID because we actually moving a lot lot of massive data right from on promises, to cloud which, actually help us for the migration point of view this, where. We actually using a 40, minutes right links. To one circuit, right which actually give us a flexibility. Of growth point of view which is which which, future point right if we actually oversubscribed we can actually control that manageability, yep, so if you look at the diagrams, so, what, you see on the left hand side there is, infrastructure.

Services, Even though that there there's a both, a physical and a logical. Component. To these but, that's pre placed into each azor region where we have Express route and then the consumer is on the right hand side essentially. Just plug in the same way that they plug in yeah from, data center yeah. It is it is pretty easy for them wrong to actually manage they don't being worried about like okay which what. Connectivity, we have it we actually just actually doing the automation, as well which I think Kelly already mentioned about in the previous slides about how we actually automate, the provisioning model from, on the, consumer subscription, right you, know for the self-service. So it is pretty easy for them to actually inherit, so essentially all they need to know is I didn't, want to go to this as a region and I want to connect to this type of a network that's all they have to tell us exactly and then through our automation, they. Request a, block, of IP addresses and we give them a we give them those those addresses and give them a beam and authorization, and they're ready to go yeah they, do they know they don't need to be actually whatever what the routing itself it's all in the same routing domain right they don't need to be worried about doing. Ok, so next, slide, we. Are going to talk about how, we actually modernize, the networks. With Azure. In. The. In this in, this one right which, IT. Actually, internal data centers you, know on the left-hand side you see that it's, been over the, period of time it becomes unmanageable, and, have a unlimited. Free flow access. Internally. As well and. How. We on. The right side right we actually showing that how while. Doing the migration to edge or using an Express route we can now. Remove unnecessary, data, paths, this. In turn reduce. The signal, of noise ratio, and, easier. To monitor as compared, to traditional data, center where, where. It is it is actually, very difficult to, I shall pick a needle from the haystack. You know so, it is more cleaner way to actually be migrated, and you. Have a lesser zones. And logical zones and lesser data, pass right which, is which is very good form point, of view from the migration from on promises to cloud yes. Yeah so the left-hand side of this really, represents 20 years of history yeah inside, of Microsoft and. The right hand side is really the opportunity, to. Not. Bring that institutional, mess with us correct, to simplify, and clean, things up in the migration of the cloud that. I think is kind, of a generational, event right we're not gonna see this again probably for another 10 to 20 years so, we're really trying to take advantage of that opportunity to. Intentionally. Move things into this new zone architecture. To, make sure that the, connectivity. We provide is actually what they need and it's secure. Does. Come with a cost so can. You guys describe a little bit about, what, you dealt in terms of when you started to migrate the applications, up and you had to ask the people what their connectivity requirements were. Yeah. That's, a really great point David so yeah. One, of the things that we discovered. And when. We enabled folks, with Express route to do the migrations, is that the, next thing that we needed to produce. Was a security policy and in some cases this is the one, of the few times that, the application, teams needed to declare all that all of their connectivity, as you can see in this model on the, left-hand side where there was a lot of connectivity.

That Was able to free flow when. We started you, know requiring, traffic, go through our firewall, in our security stamp we. Obviously needed to know what ports and protocols they, connected, on and in some cases that. Proved challenging for, teams legacy. Code perhaps. Team, members had turned over they didn't really understand exactly how things connected. And so, that was a bit of a challenge for us but there are tools out there that you can leverage an employee that, helps provide visibility into. How applications, are, actually, executing, their traffic and, then that way you can come up with a. Policy. With, which you can implement, that. Allows that connectivity to, then flow and that, really. Helps in the, case of where like, a MIT head was saying where we, have with. The free flow of traffic that's, really difficult to pinpoint what's legitimate traffic, that needs to go through, the firewall and be monitored, and be, inspected, and what this needs to be dropped at. A east-west control level. Good. Okay, so. In the next slide I'd we. Are going, slightly. Deeper right which we actually showing in the previous slide about how we're actually doing the macro. Segmentations. And micro segmentations, design, and using. The using. The area. Sdn power right you know in the, in our logical, zones in the in the cloud so. In. The, right side right you actually see that where we got an on-premises, data center and in. The middle you see the we have an internal, zones. And after, that you see the public. Public. Zone which is called as an a DMZ and on. The left side you see we have a connections, from, Internet, and public cloud directly. From the from. The. As your DM Z's so. In the Ezio DMZ if you if you look into it right you we, have a we, have a Web Services which is and, in, the internal, we have a data databases, these two environments are, communicating, and, connected, to each other using a selective Earth and. The hardware firewalls, which is actually bypass which, actually passing the traffic between these two, logical zones and, and. This. This way we are shaded, use inter, environment, lateral movement which, is the micro segmentation, there.

We Actually using a micro segmentation to, reduce that particular lateral, movement from the firewall point of view and, within. The within, the environment, box, we. Are we. Are using a micro, segmentation using. A NSA's means like in the, same zone, all. The V Nets are not, talking to each other right we actually plays the energies between it so that if anything, required, right by default it has been denied and it, is going to be approved on the basis of the service requirements so, even, though the applications, me resides, in there they are not going to talk to the databases until, we are going to declare the connectivities, so, this way we actually represent. That, how we actually doing the micro, and macro segmentations. In the, whole design of and. Taking, the real power of the Sdn layer, in. The context of this slide NSG. Is as a network security group yes at Sdn is Software Defined Networking so inclusive. Of things like NS G's an application security groups and correct. Yeah so. These are the both, of the combination, of things. Like we actually doing it it is it is pretty difficult to I she use because, this is a cost-effective method, right you know earlier. Says right if you actually go and do the firewalls, and other you. Know East, and West in your routing side rate is very car it's, a it's, a it's a increase in the cost right in those cases right but in this case side we actually using a similar kind of model which is Azure, is actually providing us so, with. The self-service, in deployment. In the automations, right when we actually publishing the when we provision the V net for the customers, we. Actually. Putting, in a packages, around it which, which, Kelly was mentioning about like we actually doing the. You, know the tags we're doing the policies, we doing the locks and the one-one-one package, I also include the energies, itself so self-service, model actually created the whole package, including. The veña veña provisioning, model as well so which actually gives a by default policies, right to be implemented on the Venus layer so. We can control those policies, right and we can actually say that right this minute need not to talk to any other Venus, or any other you, know data, anchored back to the component, itself yes. These policies around, micro, segmentation they, follow the virtual, network they follow the instances of themselves so, I can tell you that we've been doing zone based policy. For a long time, the. Micro. Segmentation aspects. That Ahmet was talking about right now doing that at scale in. A traditional environment with things like you know firewalls, in the middle and having to manage placement, topology, very carefully would. Have been extremely difficult and very fragile, but with, the fact that this is all software-defined, and, it's the policies actually affixed, much closer to the application, of the application instances, makes, this possible, so, this is something that you. Know with. With.

The, Capabilities, inside a badge or closer, to the things that we want to protect it makes, this easier to, deploy a scale, and makes it again much, less fragile because things move around in the cloud cloud, is dynamic, and it's. Supposed to be that way, but. You know that can create some operational, and security challenges that's. Doing, it this way definitely, have some advantages, over doing, in a more traditional way another. Advantage I'll just add to that David, is that when. Each, of these zones we. Can control which identity, and access right. Is exposed, to them so, if we have a DMZ and we want a specific kind, of credential used we, can specify that domain, only that, can be authorized, and and that way we prevent, that credential, theft and lateral movement which I know a lot of enterprises, are really nervous about yeah so I think you, know this whole model that we put together does, lend itself to least privileged access to, isolation. And segmentation, as a fundamental, capability. Right. If something, does go wrong in this environment because it will there's something will get compromised, something, will get you. Know malware. Or something like that or even the state Sigurd is contain misconfigured, exposed. It's, much we. Have we have many more capabilities, in place to make sure that that doesn't, spread yes right these West controls are there that. Thing can. Be isolated, and can be easily identified. And removed from the network if necessary. Threat. Container. We. Could even a trust model right and like you said right is one, week we we, can use in other word off trusting, between the between, the resources, right we control the trust here yes so. Yeah, all. Right moving on let's get a little bit deeper into how, we actually what these applications, look like running side by side of it yeah, so, in. The in the first block right in the top top. Block where we actually talking. About the application micro, segmentation, where. We actually having a public zone and in the bottom one right represent. As an internal, zones both, environments, are isolated. Using, a north-south. Control. Grid. The firewalls, and and. Within. The public zone we. You. Can see that group of applications, can't talk to another, group of application. By default like. We said in the previous, you. Know slide where we actually may we are controlling that particular, relationship, right we're controlling that trust model we are the V net in the same zones are not talking to each other right by, default because we have a east and west controls actually been placed out so, similar way right in the internal. Zones we are actually doing the micro segmentations, where, where. The where the v-net. Side which is in the white block right we can see that not. Talking to another white block right in the same zones. Itself so though all the databases, are even though not talking through the databases even though if we have in a place our internal applications, they, are not even though talking to those databases, until, we have we will declare. The connectivities, backgrounds in there so. This, way right this, is this is the how we actually control the lateral, movement of east and west traffic, as well within, the same zones so. And. We actually we. Actually place. The one-to-one policies. On. The network control side as well. Do, you have anything addition, to add, in this one David. I think you covered it pretty well. Again. I the this, has been. New. Territory, for the application, folks and getting, them to understand, and declare their connectivity is is. Not. A trivial task sometimes but, it is it does have definite value in terms of you. Know being able to understand. What. They truly actually, need and then give them that lease privileged access and, least amount of connectivity that they require for their application, to make sure that we do, improve. The security posture it, is also you, know given, them pause sometimes to actually rethink, some, of the dependencies, that they have inside of their applications, to make sure that you. Know they do take. This opportunity, this generational, opportunity, to re-architect and, refine their application, so. That it is more efficient yeah, another great benefit that we've by. Implementing, this, you. Know isolation, segmentation. Kind. Of capability, is that patterns. Start to emerge right, patterns common, connectivity, scenarios, and what we can do is we can wrap custom.

Policies, Around these common access scenarios, and allow, teams and the future to be able to consume those via a self-service. Mechanism, through an auto approval, and so, what. We strive to do is is to actually automate, and to make this environment as seamless as possible for, any consumer. To come and actually get. The, Express, route networking, but also do so in a very secure way and enable. Them through connectivity patterns, that are approved by our security teams to be able to you, know and understand. How their applications, are going to communicate, in this environment and make the necessary changes, to do so, anything. Else wanna element well I think I think we, you. You, described pretty well in this way I think, I agree and so, on that bottom zone. That. We talked about where we, we host this, is dedicated. For data bases correct, yeah so you, can actually so this is this is what we actually use in the you, know Sdn model right you know in. The software-defined networking, right you can actually have an analogical zones separated. Out with your isolated. The whole workload, side on the application. Basis where you can actually separate it out your internal, apps in a different zone and the, databases in the different zone and, you. Can actually create you. Can create the same kind of east, and west you know controls, between those ones and carry. The same security posture right so this this is what we actually doing at India right you can create a multiple zones right but you can stay you, can still have the same security posture, you know with the east and west or the north and south control boundaries right so, it, is that's that's way right this is such a powerful right, you know mechanism, to actually you know use, all the zones. Model, right which you may have, in the on promises, which separation. From your you, know Department, wise, right you know sales and marketing finance and, all they, have the different zones right you know on promises, head you can have, the same zone model, right but you can actually differentiate they these same zone. Models, within an application workload. As well so, it is up to you right how you define, it it this is only the way we actually, we. Actually expose, it and explore it right from five to six years ID we can see that right where we, are we actually only, doing the zoning. Model with the workload. Service. Workloads, right where we actually defining, okay database is going to be get into one private, app going to do one public.

Is Going to be differently, we're egress. And ingress traffic, coming from outside, in so that's resides, in the different zone so that we can isolate and, between. These two. DMZ. And the internal. Zones we have in a firewall coming to picture and then, we like, in the in the previous slides we discuss about and describing. How we are she's using a selective earth which. We where, that there are two different identities right separated, out but they have a trust relationship within, a selective author aside so you only giving in a selective. Auth trust between application. You, know in the first in, the top box of application, a to. Sequel. A right, you know under internal, zone so this way you only giving, a permission between, that application, to databases. So reinforces, what we're doing on the network exactly, right so it's a defense-in-depth, yes yes, yeah go ahead say. There's another way to think about this the the east-west controls are really separating. Applications, from one another or business, processes, from one another and the north-south controls are largely separating, environments. From one another or roles within an application ecosystem, from one another so, web publishing versus back-end database or a worker, process. And. Then the other thing that you talked about was kind. Of recognizing, that we're, not only doing this with network controls but also identity, base control so, those things that are publishing to the Internet we're going to use only external, identities, and things that are that are internal like a worker process or database those are going to use internal identities so separating, those two so if something, does you, know that does happen you. Know you can have that at any separation, if you compromise one doesn't mean you can jump to the next exactly, yeah yeah, and it's, just really important also to mention that in the self-service, model that we have where, teams are free to come and get their v nets we provide a lot of guidance in terms of how they should place their application. Components, into the specific, zones that are built for you, know securing, the database, workload as an example or the web front-end workload if. There is a miss placement, a team doesn't quite understand, we catch that at the time of security policy and we say hey you, cannot run a web service, in this a database, purpose. Built built zone you'll have to move that component that way we ensure the the, right things happen at the time of provisioning, and don't, create a situation. Where we expose things that we do not wish to. Yeah. Anything else to add oh okay. I think yeah. The. Next one all right. With. That all that said you. Know Express rod is an important part of what we've. Done in getting to a juror getting to the public cloud but, it's not the only, not. The only technology that we use so, if you look at our entire networking, environment, the goal really is to get the, devices. And things and people that are on the left-hand side of this slide whether they're remote on premises, whether. They're a you, know a device headless, what, we call connected devices or Internet of Things types, of devices or a dedicated system like a server or, something in a lab or a research environment over. To the. Things on the the right hand side the applications, and resources that you need to do their job so, whether that's in the public cloud and on the internet or in an on-prem you know an on-prem data center or one of our our Microsoft, buildings or whether, it's another you, know entirely different, logical, intranet, a private cloud that we run on premises.

There's. A whole, host of access, transport. And policy services in the midle Express. Route is an important, piece of what we're doing and its really enabled us to get to the, public cloud fast and in volume, but. It's, not the only thing that we do use, what, we're trying to do now is we're trying to use it in a way that really. Fills. That. Specific. Purpose of private. Connectivity, between you. Know Microsoft's, private internal environment, and a comparable. Or compatible private, environment and adder so. That we can instead extend things like private engineering processes we in research environments, and even, things. That we do to run our internal businesses into the public cloud, yeah. And another. Thing I would add to that is that with asher and the power software-defined, networking and using this type of approach we've. Used this primarily around securing, our datacenter workloads however, mergers. And acquisitions, things. Like that it's it's really you. Know easy and, fast to be able to create. These new zones when. You need to and. Then consequently. When. You're done you can actually you know easily take them down so provide. You a lot of flexibility, that would be more difficult be a lot of capital expenditures, and things like that and to, enable that kind of product private connectivity and say in the case of a merger and acquisition so it provides us a ton of flexibility. And. Allows a Microsoft. IT to be very flexible, with whatever the business throws at us and you can imagine Microsoft, a lot of things are going on and so there's a lot of purpose-built. You know activities that we have to do for our for, engineering teams or research or what have you and this really gives us the flexibility, to do so. Good. Well. That's. The end of the, presentation. Part of the deck you. Guys have any key takeaways that you would like for our audience to really understand, and think. About how it would apply to their environment, sure, I just want to kind of reiterate. A couple things that David, had talked about and that is you, know use this opportunity, use, this opportunity to redefine, your. Corporate, network around, the. Types of controls and the in the purpose-built, way and how you want to run your applications, it's, a generational, shift it's, time excuse. Me it's time to leverage. This generational, shift to be able to you know really, modernize. And. Really anticipate, the future and how applications, are going to evolve, over over, time and then the other thing I would add is that there's no secret sauce here everything, that we've done is, using Azure. Standard. Capabilities, and features and, PowerShell. Meant. For automation on using. Policies, and native capabilities and we have a very tight relationship with, our product rupes who provide them feedback all the time on enterprise, scenarios, to, really you, know help, everybody. Out there also, be. Able to take advantage of these Enterprise scenarios, that we, push the Prada groups to yes we like to call ourselves the first customer yes sometimes. That's not you, know without some, level of pain correct, but, we're we're we're, a combination, with partner and consumer career on product ease so we do consume the same services, that everyone, else does we, don't get any special treatment and, you, know all the things that you've seen here and all the things that we've talked about here you can do these yes. So. From my point of view right key. Takeaways, is fast. And direct connectivity, right, using, Express, route and. The. Optimization. Which we actually is showing in these slides this is a very good opportunity to actually you. You know you can actually use a high, secure connectivity, right and plus the segmentation, right which is more important, of for, this whole, slides back, ride which we'll be presenting about how.

You Can actually secure your own networks. Right and in. Cloud. Itself how you actually, inherited, your own, policies. Boundaries, right how you specified, your policy, boundaries right in cloud within, the workloads, itself, how, and in. The end through, the micro, segmentation the, combination, of micro segmentation and, macro segmentation, north north, where a north-south, and the east-west both you, know it is it is up to you how you're going to define it so, this. Is this is really a very good opportunity to actually you know secure, your own networks, right, and. And which, we actually show about like how we modernizing. It from on promises. To actually, cloud when you're doing the migration you, are not actually carry, forward, all the legacy paths right yeah this is an opportunity to actually clear up those paths and declare the whole connectivity, pattern. Initially. You, know being, an IIT right I have seen those operational. Overheads. Coming in right but, but. It's a I I think, this, is going to be a one-time investment off it right but the, the, the future is going to be looked like a very easy manageability. Point of view so, this is this is what I was thinking about right from, this a great point, yeah. Very. Good points thank. You everyone. The. On-demand version of this webinar is going to be posted soon to. Microsoft IT showcase you'll. Be able to find related. Content there like case studies blogs, and upcoming webinars. We. Hope that you've join us for future webinars and bring your colleagues with you and now. We're going to go ahead and jump into some of the question and answer. First. Question that we got is. Which. Vendor software-defined, networking, is Microsoft, actually using, and this is an interesting question because. I'll. Answer it a little bit here when we say Sdn, and all the things we've showed you today this. Doesn't rely on any third party technology this, is all Adger software-defined, networking. We. Mentioned network security groups we, mentioned virtual networking and, express, route, there. Are integrations. With third party software defined networking technology, like for example with Azure wide. Area networking. You can actually connect, a Sdn, device at your edge and connect connecting, to a sure that way that's, not what we're talking about here with Express route so, that's a little bit little different where you would potentially, use address network is kind of your backbone, your transport connectivity. Our. Purpose, or our, use case for Express route is essentially extending our data center footprint into Azure private, so, it's a little different you know the, Sdn that we're talking about here is really Microsoft. Softer Defined Networking side about correct yeah okay, now the question is how, many regions. Do you have expressed routing in today we. We have actually a seven, regions and, we. Have five in US and two, in, international. So. We have total seven regions, where. We Microsoft. Has a presence, right now do. You have any plans to expand. Not. Now right now but, then, the it depends on the requirements, right when the application, requirements coming in from, different different continents, right and we we, definitely actually, looking forward to actually expand that one. Do. You use a hub-and-spoke model for, Express route. We. We are not actually using, it right now really but we, are exploring it where we, have an eye engineering like David, you were mentioning about engineering, and researching. Right you know those, are the those, are the massive ones right which is actually going to leverage, this particular spoke and hub model and I, want, to actually talk. You know slightly talk about the spoke and hub model is this, is really in a cost. Saving as well right from the hub and spoke model where, all the connectivity actually, going to the hub model as well we are exploring those particular. Ones right so that we can actually do then automation, packages, right like, we said there is no there. Is no secret sauce here right we are she's using what Azure, is providing, us right now so that we can actually Nance and modernize our own our, you know tool model itself so, yes, we are exploring those one says yeah, or, you, know I think it may be in some cases our spoke is because one level removed from. What, people would use usually typically think of as a hub-and-spoke model with express route where you would have multiple, virtual networks, that we appear or. Use v-net tunneling to get to another virtual, network that had an Express route connection, we, extend, those of unit authorizations, directly, to a kind.

Of A provider. Provider. Subscription, that hosts, all those circuits so we have the multiple, V nets two to. Fewer. Circuit. Models but. We don't do the V net peering to an, e net, together, so it's it's, a little different and the reason for that is you. Know we have acted, as our own network. Provider into into, Azure so we've used the Express route direct model which, we have our own CPE. Connected, the MSA e we provision our own circuits, the, other thing too that may be unique is that we've been doing this for many many years and the volume that we have in Azure is very large and, we have some workloads that are very network. Intensive, so, sharing, those, individual. Connections. Or those individual. You. Know piping everything into a single V net to go through a gateway to get to Express route, probably. Isn't a good fit for someone in their network intensive workloads that we have so our scale and our size and the fact that we use, the Express route direct model doesn't, make it a necessity for us to do the hub-and-spoke, model a then some other customers have done it at a smaller scale yeah that makes it yeah yeah it. Depends on the application it depends on the requirements, right where we have with, the current requirement, we, actually go through the Express or direct write which you explain, it but, there is an option to always be right you know where, the application requirements comes in and we ask ratan hub-and-spoke model in, the in the cloud itself. Another. Question that we had come in was if, we have a juror, or office, 365, connectivity. Using Express route and we're consuming a third party service for, example Adobe sign, and. That Adobe sign implementation, is also using, Express route for the connectivity, with Microsoft, will. That help improve the overall performance. So. For example if you had customer, a over here and customer B over here they were both using Express write into Azure would. That improve the overall performance. These. Are the I think, these, are both, are the private connectivity. Right from, the client for a customer, point of view, so. Both, are going through Azure, itself but the both are connecting, through their, own public, endpoints. If, you're actually using an a and B so. It, depends on right in which region you are and latency. Latency is, going to be matter on the base of the. About. The region itself okay. I think this may be kind of an interesting question here where if, there, is a third. Party you've mentioned private, connectivity, right so if you have customer, a and the third party over here they both have private connectivity, using Express route into Azure that, does not necessarily mean that company a and Company B can, see each other from a perspective. You. Can establish that connectivity. On your own by exchanging routes but, by default that doesn't happen yeah. If. Express. Route and Microsoft, peering is a little different that's not the the private peering that we're talking about here right and in that case, if. They are publishing, their their. App okay their third party application, on the, internet, side of azure yes, you would use Express, route Microsoft, peering to get to that and, yes.

That Could improve your overall performance if that path is more robust and more direct it, really depends, upon. Your. Connectivity model where your internet edges are and where. You're actually peering with Microsoft, so, the answer is it could help if it was on the public side if, it was on the private side really. It. Depends on how the two two companies are connecting in Azure I'm here whether you're exchanging routes fair. Enough. The. Next question was do you allow the application, teams to manage the network security groups and, the policies, for connectivity, or is that all managed by your team so. What, at the time of provisioning, when we actually configure. The subscription, and the resources, we put a policy and a lock on there and the, reason we do so is that for. Miss configuration. Purposes we don't want people to go in and miss, configure reduce the security open. Up holes and things like that so with the policy and lock on there now in certain cases it is necessary, to temporarily. Remove the lock and alter the NSG what. We ask application, teams to do is to use our security, review process, in order, to formally. Request that and then, IT, goes. In and makes the necessary changes enables the connectivity, we, generally don't like to let the teams, control. That, aspect, of networking, within their own subscriptions. For the reasons that I just mentioned, so. I yeah, that's a good point actually, so we also, actually using, a policy. Management's right in this way we. Are we actually controlling, the manager. On, the management layer ID we actually controlling the groups right so that all, the policies which is. Going to be inherited, pushing, back to the consumer. Subscription, so that locks. And custom, policies which we actually producing it is. Not going to be changeable right it is going to be monitored. Or maybe. Controlled. By the central IT it's a and.

As Part of that migration process, each of these applications that migrated up again, they had to declare their own connectivity, they had to they had to go back and look at their original. Security, approval if they had one to, get into the old environment sometimes, they had to actually go through an entirely new process, to, actually you. Know declare their connectivity have it reviewed accepted, by the security folks and then. Implemented. In policy, by by, you guys where there's a provision into Azure correct, if you need to change from that the, process you described kicks in yeah they have to go back to security and say this is the change that I want to make this, is why and, half security say yes, you can or no you can't if the answer is yes you can you guys would remove the lock make the change on their behalf put, the lock back correct, for the reasons that you described, right we don't want people going in and circumventing. Security policy potentially, making a mistake that then opens them up to. Compromise correct, I think this is what Kelly was talking about the learning, the patterns right you know and how, you actually, doing an automation, on the learning the patterns itself, so, we. See the lot of patterns coming in right when we actually initially introduced, this particular model we, see a lot of patterns coming in we actually automating. Those patterns so, which, way right it is coming out how. How. The DB and application, right in, the different zone need to be talk to each other right so it is on the request places, from the pattern. Can pre-approved right you know if it is not not. Going to be a design. Dovey or something so it's going to be easy to ease, our operational. Overhead as well right so there, is nowhere add from the operation side and the we, can inherit, it you know doing the self-service, model after authorization. As well. The. Next question was. There. Was a slide titled, operationalize, the cloud it. Seems like you've gone to a less centralized, model. Because. Of the click of the cloud technology. But, you're trying to go more toward agile more toward a native, experience more, team owned and delegated, out to the team's DevOps is that fair characterization yeah, I mean the way that I like to describe it is is more around our.

Role, Has changed from being that central, governance. Body where everything, has to come through IT before it gets provisioned, to saying hey these are the guardrails, right we implement, the security, within our hosting layer like, we've done with our Express. Route environment, and. Then we allow teams a flexibility, to acquire, their own resources, but then adhere, to the policies. And standards that we set forth as, governance, and part of that is built, into the security, model relative. To express route and how the segmentation, is done but, also some of those responsibilities. Now lie with those application, teams and we use bi in a lot of cases to expose, to those teams how well they're doing relative, to their compliance, and what, they need to do to actually remediate. Those, compliance ought, areas. So, in a way it becomes more of a partnership where as you, know IT sort, of directed, and did everything now it's a it's a partnership with those application, teams we provide the, guidance the policies, the scripts the templates, the automation provisioning. Packages, align, to our security posture and, those teams are have, to maintain that they own those, responsibilities. Within their own subscriptions. And we use bi to make sure that everybody is you know relatively, doing the right thing so part of the VI function is actually auditing, auditing, yes sure that they're not doing the things that they shouldn't be doing correct but you know yes the answer is we're not completely decentralized but, we're much there's. Much less friction now to get the things done correctly, where we don't add any value in the process necessarily. But, we were in part of the critical path in the past because we had to be we've, gotten out of the way we've, stayed in where we felt we had we, could either add value, or we were compelled to make sure that they were maintaining. Compliance or maintaining two standards right so I'll, tell you a little story, about where we first started with clout was. The original assumption was we're just going to take every we did and kind of pick it up and plunk it into cloud we're, gonna take all mm, of the processes, that we had now maybe exaggerating. There but, we were just simply gonna translate that over to what we did in the on-prem data center into cloud and we. Fortunately. Were a little bit smarter than that and. But, it did take, kind of a mindset, shift, into. I'm not going to just do what I've you. Know what, I'm accustomed to in the cloud anymore I'm gonna look for the places again where I can actually add value or where, I I can I have a strong case, to, say I still need to be involved in this particular piece and this, is why and, that you. Know that got us out of the conversation, that we need they were probably. Would. Have been pretty ugly with the businesses where I can, just go to the cloud service provider and get everything that I need and I don't need you IT guys anymore where, you know now we were again we're a clearly demonstrating, value or we could we, could tell them that this is the reason why I need to put a lock on your NSG, right, because I don't want you to accidentally, override, this or create a user to find route that central.

Traffic You, know outside of the edge that I couldn't see and couldn't monitor and couldn't secure I'm doing, this for a reason so it diffused a lot of what could have been a bad conversation, with the businesses yeah, I, think this. Is a shift of the role and responsibilities. Right which, we talked about reg you know how we, actually going through the experience, of 5, & 6 years of the express route right we're centralized. IT actually, owned everything right even to the resources, right now even though the subscription, model as well now, now. How we transform, and modernize our you. Know role and sponsibility is actually, giving to the customer itself customers, comes in with you their own subscription, model and we, are actually putting in a policy on the top of it layer and say that right okay you have to be going, through this whole security posture. With us and carry. Forward right you have to maintain these policies, on the subscription layer itself like, accessibility, of subscription, itself is one of the most, important factor right, being in being with the microbiota, is an in and adopting, an expertise, er so, yeah, it's a shift of the role and responsibility, you. See the education, right the knowledge of Azure you know has been grown up right so far and people actually feeling the responsibility and, putting the resources in it. So, I think yeah just, yeah, just to add to that is uh you, know we do a fair amount of consulting, with teams now where perhaps. You, know we didn't before where, they need to understand hey there's a new magic capability, I want to host it in your environment what, do I need to do to be able to do that securely. So in a lot of cases we get, involved pretty, deep technically, with the application, teams looking at spinning up new services and, how they're going to be able to deploy them in a secure manner in our environment, and so that that's another area where we've grown dramatically, and that gets you to those repeatable, patterns that you talked about before or ectly and so, that all these teams that come when they're ready to move yes they don't have to do all that discovery themselves they don't have to do a little exact themselves, they can they can take advantage of the people that have come here for them right we put we document, and in any. Case that we can we automate right, and provide our code. Out as you know infrastructures, code or configuration. Or policy is code out, there those teams that they can consume it even modify it to their needs, and while maintaining that posture that we like to have yeah, this, is this is a simple word of like you know transparency.

And The education, right yeah we both carrying forward right and having, these two actually our own customers, itself in the Microsoft internal right you know so they can actually really think, about right networking, and security aspects, including. The application security you, know most focus, from the application point of view right people actually think about the application security or databases like, you know TLS, and their, TDs right they only think about those ones so we give an education, right how you can you are define and you can be educated by your own you know network postures as well so the, network patterns we talked about that they've, been responsible, now to actually carry forward that one fair. Enough I. Think we have time for a few more questions before we wrap this up. Next. Question was does Microsoft, establish, Express route with some of our with, some of the industry, premier service providers for example a Salesforce, ASAP. Amazon. Box. Comm, as, well. I. I. Think, I could start again so, I think Express. Route it is a new purse I offer off aging yeah so it's a Microsoft offering, that with the express, route privateering, the goal is to get you into a private virtual network in Azure. For. The Microsoft, peering is to get you most, efficiently to a Microsoft, and service office, 365 Dynamics online. SMP. Well. Not a PE, but if you want to run sa P and Azure yeah yes yeah, it's. Not necessarily, to other SAS, providers, or other cloud providers so. There are people in the industry that have a multi, multi. Cloud cloud, vendor, model but. Asura Express rata is uniquely in Microsoft, but different. Next. Question here is for, years owns are you implementing application, security rooms. Not. At this particular time so when, we came up with our model what, we really wanted to do is reduce, that, lateral. East-west, traffic as much as possible so because it obscures all, of our security monitoring and forensics capability. But, we wanted to make sure that the zone to zone interactions. Which is really where the application, traffic that we want to have actually. Flow is monitored. And going through the firewall and going through our security. Inspection. Stamps. So that, mechanism allows, us to use the NS GS in that case to to. Not allow that east-west traffic but then to force the traffic that we do need to inspect through, those through. Those firewalls and we, are looking at application. Security groups for other types of environments and not quite as secure, as what we've built here for our data centers or for labs, and, things like that where we can easily, implement, some, isolation. At, more at the NIC level with the within ASG as opposed to the NSG which is at the v-net level yeah in, addition to this one Cali right I just want to add from. The application, security, groups you. Know there. Is a difference between the NSD, and application, security group what, in this in, our model right where consumer. Has their own subscription, right coming up and they only we are she providing the hosting provider for, the v-net we provision the v-net and packages, on it we not aware of any, resource. Could have been as, or any resource Robbie has been there or not because application, you. Know security, is on the resource group layer right we are you actually defining it and on the neck layer once the one. The resources, is going to be implemented, then, the then, the application, security, Rider you can uh she plays a neck in the particular, group and say that okay this is what the, group or, control. Is going to be look like but. What we actually do do is right we actually already pre-populated, the, package right on the network, layer right, where we actually defining, the controls, on the V net layer itself and say that right this minute from. The not from the application, point of view but all the applications, whatever, you put the private. App you know app or the DB right you know according, to the zone they have the they, have the consistent, and default policies, on the top of it it, doesn't, matter right which it is source or which which, past, service you are using it but, it defining, the whole network, accessibility. Control right so. That's the major difference between those ones so, application, group is definitely going, to be one of the area right where it, depends, on the requirement, of the application, but. Defining. Particular. Application, could behave, like this in the group right and that. Can be explored right okay. Yes. You could use them in combination and, likely will at some point okay I think we have time for one more question the last one that we had in there is what.

Firewall, Product are you using. Currently. Tied on from Isis, we. We have a third-party. Firewalls. Right which. Which, which is nearby, to our CPE, so all traffic going coming, back to the CPM we inspect. It and according to the zones right we actually sent the traffic back to the cop from. Our on promises, cough net right so. But. We are also exploring, right then new, error native. Coming up the firewall coming up right which we are exploring it is getting pretty, mature now it is in the public preview right this has a very good feature set is coming in so we always adopt the first party right because we always as in a Microsoft, ID we have to adopt and we have to go with the first party product yeah I think the pattern that we developed, five six years ago when we first started using express route was very heavily, the bond you know a third party industry-standard the opponent's right because some of those capabilities just wasn't, they were not there, announcer yet, but. Now you, know the the. New pattern that we're developing is as little, physical, equipment as we could possibly get away with to, the point where we really only truly need to bring that that. CPE, that edge to, connect and Azure and there's, not going to be in the new configuration there's not going to be any other physical. Equipment it, may be a minimum of network virtual appliances, but, no no additional, physical equipment in that environment and again we're pivoting to using, the azure firewall, as that, control not only from the, private environment to the, internet so egress, out to the internet but then also being able to use that for that zone based capability, we talked about yeah, so, this way all traffic never you know not going to come back to on you, know on CP on firewall you know which is actually going to every. Time it coming back too far one and they take Addison so we are she going to take an advantage of firewall. To be on the cloud side right so that traffic is going to be resides and Internet is going to be used from the same. Cloud native, five one yes and I won't mention any vendor vendor name specifically, yeah but you know we've used the you, know standard standard, vendors, in the industry that people would think of right, we've gone from you.

Know Layer 3 layer 4 or 5 tuple types, of rules on the firewalls, to now next-gen, firewall capabilities. Including. You know layer, 7 capabilities, and integrating, things like intrusion, prevention and, other. You, know attach services, like anti-malware, to, the capabilities, themselves, and these will flow into, native. Azure capabilities, without or firewall yeah and other attach services yes, okay, I think we're getting close to the end of the hour but. If we could go ahead and bring up the resources slide very quickly, I'll. Go ahead and close. This up but. I again. You. Know there are a lot of great, content out on Microsoft, comm slash. IT showcase, there, are two papers. And case studies that I'll call your attention to specifically, there, is one that goes into a lot of detail, around how we manage as our Express route in a global enterprise much, more than we've been able to cover today and there's, also a really great. White. Paper that we put out that describes the. Software. Defined Networking controls in in. Excruciating. Detail I'm. Called securing, the hybrid cloud network with Azure Express route yeah so I'd highly encourage you to go take a look at those, two papers they, will be posted out here with the recording. Of this webinar as, clickable, links but. If you search those on being you'll, definitely find them and, again. You, know I I, would, again. Tell you that the, on-demand version of this webinar will be posted soon, to microsoft.com, I to showcase where, you're going to find the related content here, case studies blogs upcoming, webinars and again, I would encourage you to please, join us for future webinars and bring, the, other year other interested, colleagues with you thank, you very much.

2018-12-18

Show video