Azure Networking Overview

<Speaker Name>
<Speaker Title>
 This new reality requires foundational
changes:
Organizations now
have more traffic New network designs

going to the cloud New network security approaches

than on-premises New application delivery models
datacenters
New operating models
 Apps move to Internet centric
connectivity

Organizations need Private connectivity for application to

backend resources
to redesign their
network for the cloud Optimize user experience for cloud

Extend app delivery models and

network security to the edge
Microsoft global network securely scales your infrastructure

170+ global network POPs providing better

local
performance and faster access to the cloud

Traffic runs on the Microsoft private global

network closest to the user with cold potato
routing, irrespective of geographies

Azure traffic between datacenters stays on Azure

network and does not flow over the internet

Inter-AZ, Inter Region hosting architecture

for HA/DR
And powers enterprise customers

+1000’s of enterprise customers

On-prem and
Remote work Secure global Edge Secure network
branch
at scale app delivery computing infrastructure
connectivity

that allow your organization to do more

Partnerships with
Hybrid and edge Zero Trust based Private and global
existing network
integration network security backbone
providers

with key differentiators

Azure Networking is built on the Microsoft Global Network

Azure Networking

Hybrid integration Zero trust-based Private and global Network as a service

and edge extension network security routing

Connect on-premises, Protect your Deliver consistent, Leverage ready-to-use,

multi-cloud, edge, and applications, virtual low-latency scalable services
global users seamlessly networks, and performance with
workloads cold potato routing

Performance and reliability at scale

HYBRID INTEGRATION AND EDGE EXTENSION

• Connect on-premises, multi-cloud, branch or

edge deployments
Azure Networking services connects on-
premises, multi-cloud, and edge • Virtual Network Functions delivered anywhere
deployments, allowing you to manage your using Azure Arc
entire network using centralized access and
• Accelerate delivery of apps hosted anywhere,
routing policies.
including on-prem or other cloud platforms,
using Azure CDN / Front Door
ZERO TRUST-BASED NETWORK SECURITY

• Application protection and traffic governance

using WAF, Bastion, Private Link

• Secure virtual network infrastructure using

Azure Networking services offer multi- segmentation
layered, built-in capabilities that support a
Zero Trust approach to security across multi • Intelligent threat protection with Azure Firewall
and Azure DDoS
cloud, on-premises, and edge resources.
• Deep integration with other Azure services such
as Azure Security Center, Azure Sentinel, Azure
AAD, etc.
ZERO TRUST-BASED NETWORK SECURITY

Enable a remote workforce by embracing

Zero Trust security
Cloud migration
Enable digital transformation with intelligent
security for today’s complex environment
Support your employees working
remotely by providing more secure Mobile access
access to corporate resources through Empower your users to work more securely
continuous assessment and anywhere and anytime, on any device
intent-based policies.
Risk mitigation
Close security gaps and minimize risk of lateral
movement
Zero Trust Architecture
Identities
Data

Organization Guiding Principles of

Zero Trust:
policy

Apps

1 Verify explicitly
Security
Policy Enforcement
Real-time policy evaluation 2 Use least privilege access
Infrastructure
3 Assume breach

Devices
Network
Threat
Intelligence

Visibility and Analytics

Automation
https://www.microsoft.com/en-us/security/zero-trust
PRIVATE AND GLOBAL ROUTING

• Microsoft global network to carry traffic, using

cold-potato routing

• Inter-AZ, Inter-Region hosting architecture for

Azure Networking services, with built-in HA/DR, with latency as low as 0.74ms
availability, scalability, and reliability,
enables industry-leading SLAs that helps • Predictable performance up-to 100 GBPS
ensure business continuity even during through ExpressRoute
traffic spikes.
• Global app delivery with AFD/CDN

• Scale up or down to address peak demand

NETWORK AS A SERVICE

 Enable ultra-low-latency compute scenarios

Azure Networking extends your investments through cellular partnerships
by integrating existing services and
 Connect on-premises networks to cloud and
preferred providers to create a single, edge deployments using partner services and
streamlined experience through Azure. solutions
 Azure Networking use cases

On-prem and Remote work Edge Secure global Secure network

branch connectivity at scale computing app delivery infrastructure

Azure services

Azure ExpressRoute Azure VPN Gateway Azure Edge Zones Azure CDN Azure Virtual Network
Azure ExpressRoute Azure Virtual WAN Azure Edge Zones by Azure Front Door Azure Load Balancer
Global Azure DDoS carrier Azure Web Azure Monitoring
Azure Virtual WAN Protection Azure Private Edge Zones Application Firewall Azure Firewall /
Azure VPN Gateway Azure Firewall Azure App Gateway Firewall Manager
Azure Peering Service Azure DNS Azure DDoS
Azure Orbital Azure Bastion
Azure Firewall / Firewall Azure Private Link
Manager
Potato Routing
 Workloads and thus connectivity moving to the
cloud
Satellite technology enables any device anywhere to
reach Azure
Network solutions become more application aware
Trends in on-prem and allowing differentiation

branch connectivity SaaS workloads are disrupting traditional

connectivity models, with O365 and SDWAN putting
strong demand on performant and business class
Internet connectivity
High bandwidth predictable latency is needed in
industries and enterprises like FinTech, Gov, and large
Internet who want to avoid Internet to reach the cloud
On-prem and branch connectivity scenarios
Hybrid scenarios
• Disaster recovery
• Bursting
• Distributed apps across cloud and on-premises
• Azure Stack

SAP HANA on Azure

• The architecture of Azure network services is a key component of the successful deployment of SAP applications on
HANA Large Instance

On-prem admins / developers connecting to cloud for managing migrated or cloud-native apps

SaaS scenario such as O365

 Azure ExpressRoute

Azure ExpressRoute Global

Azure Networking Azure Virtual WAN

services for on-prem Azure VPN Gateway

and branch connectivity Azure Peering Service

Azure Orbital

Azure Firewall / Firewall Manager

Potato Routing
Azure ExpressRoute
Experience predictable performance with a faster, private connection to Azure

Use Azure ExpressRoute to create private connection

between Azure datacenter and your on-premises or
co-location infrastructure
• Predictable network performance and lower latencies
than public internet connection ExpressRoute Circuit
Customer’s
Network Primary Connection
• Bandwidth up to 10/100 Gbps Supported Partner Microsoft
Edge Edge
• MacSec support Secondary Connection

• Enterprise-grade resiliency with availability SLA

• ExpressRoute Direct, Local, and Global Reach

• Over 200 ExpressRoute partners, including Satellite

providers

Microsoft Peering for Office 365, Dynamics 365, Azure public services (public IPs)

Azure Private Peering for Virtual Networks

Azure ExpressRoute Global
Building your own cloud-based global backbone

Build cloud based virtual global backbones by using

ExpressRoute and Microsoft’s global network ExpressRoute
in Tokyo
ExpressRoute
• Connectivity from on-premises to on-premises fully routed Local service in Silicon Valley
privately within the Microsoft global backbone provider “XYZ”

• Can be a backup to existing network infrastructure, or it can

Service
be the primary means to serve enterprise Wide Area Network Microsoft
Provider in
(WAN) needs global
the US
network
• Microsoft manages care of redundancy, the larger global
infrastructure investments, and the scale out requirements
Local service
provider “ABC”

ExpressRoute
in Hong Kong
Azure Virtual WAN
Simple, unified, global connectivity and security

Brings networking and routing functionalities under a VNet VNet VNet

single operational interface
• Brings together S2S VPN, P2S VPN, Express Route, VNET and
transitive routing under a single operational interface VNet Connection

• Use when you need to connect multiple on-prem sites, ROBO VNet VNet
Virtual WAN
locations, PoS sites, and cloud services
• Branch connectivity via connectivity automation provided by
Virtual WAN VPN/SD-WAN partners Point-to-Site
Site-to-Site VPN VPN
• Intra cloud connectivity (transitive connectivity for Virtual
Networks) ExpressRoute

• Transit connectivity for VPN and ExpressRoute SD_WAN SD_WAN SD_WAN

CPE CPE CPE

• Security with Azure Firewall and Firewall Manager

HQ/DC Branch Branch Branch Remote Users

Virtual WAN partner ecosystem
Available now Coming soon
Azure VPN Gateway
Connecting your infrastructure to the cloud

A virtual network gateway that sends encrypted

Azure region
traffic between an Azure virtual network and on- Spoke Spoke
premises over the public Internet, or between Microsoft backbone
Azure virtual networks. Hub

VPN gateway
• Deploy and access resources within your VPN

• Supports multiple platforms, protocols, and

authentication mechanisms Internet edge Internet edge Internet edge

• Configure once to access multiple resources

On-premises and Internet
• Scale on-prem VPN by connecting it to Azure legacy apps

VPN-connected VPN-connected Point-2 site users

site site
Azure Peering Service
Internet-first access to the cloud

Peering Service is a networking capability that enhances customer

connectivity to Microsoft cloud services or any Microsoft services
accessible via the public internet.
• Best public routing (optimum route hops/AS hops) over the internet to
Microsoft cloud services for optimal performance and reliability.
• Ability to select the preferred service provider to connect to the
Microsoft cloud.
• Traffic insights such as latency reporting and prefix monitoring.

• Route analytics and statistics: Events for (BGP) route anomalies (leak or
hijack detection) and suboptimal routing.
Azure Peering Service
Launch partners
Azure Orbital
Ground station as a service

Azure Orbital – Earth Observation, IoT Azure Orbital – Broadband/Comms

Ground Station as a Service (Shared/Multi-tenant) Ground Station as a Service (Dedicated/Single-tenant)

Fully managed Microsoft owned Ground Station A managed Service to host dedicated MEO/GEO/LEO
that allows satellite providers to ingest data straight 3rd party infrastructure within 1ms of Azure Cloud
into Azure • Antennas are owned and supported by Microsoft (24/7
Open pipeline to integrate marketplace satellite NOC)
functions: UDP Packet Protection, Signal • Secured encrypted connectivity end to end
Processing, Soft Modem, Image calibration, AI on
the flow, Data processing Bring your own modem
• Hardware hosting
Support for X, S, UHF Bands
Pay per minute pricing – no long-term commitment Global connectivity over the Microsoft core network

Start with 5 GS Locations – Quincy, SA, Dubai, Partnering with top LEO, MEO and GEO providers to
Sweden & Singapore host dedicated ground stations in our data centers
Azure Firewall
Cloud-native network security to protect your Azure Virtual Network resources

User configuration Microsoft Threat Intelligence

Stateful firewall as a service L3-L7 connectivity policies Known malicious IPs and FQDNs

Built-in high availability with unrestricted cloud scalability Spoke 1

Ability to centrally create, enforce, and log application

and network connectivity policies Central VNet
Threat intel, NAT, network
and application traffic
Threat intelligence-based filtering filtering rules allows
inbound/ outbound access

Source and destination Network Address Translation

(SNAT and DNAT) support
Spoke 2 Azure Firewall
Fully integrated with Azure Monitor for logging and Traffic is denied
by default
analytics
Azure to on-prem
Support for hybrid connectivity through deployment traffic filtering

behind VPN and ExpressRoute Gateways

On-Premises
Spoke VNets
Azure Firewall Manager Preview
Central deployment and configuration for Azure Firewall

Updates Azure region 1 Azure region N

Global admin

Recently released in preview (Nov 2019) Global policy

Local admin
Deploy and configure multiple Azure Firewall instances
Automated routing through Secured Hub for filtering and logging
Integration with 3rd party Advanced Security Partners
VNet

Azure Firewall Azure Firewall

RSA Announcement (18th February 2020)
Hub virtual network(Vnet) support

Secured vHub Hub VNet

Coming next (tentative ETA Q2-Q3 CY2020)
Split Routing – optimized O365 and Azure public PaaS access
UDR default route automation for Hub VNet support
Virtual WAN VPN ER / VPN
ER/VPN

HQ/ End-user Datacenter

branch devices
Routing Preference for Public IP and Storage
Currently in preview

Cold Potato routing Route via Microsoft global network

• Performance optimized
• Route via the Microsoft Global Network
• Enters the Microsoft network closest to the user Customer Local ISP Microsoft PoP Microsoft Azure Services
closest to service global network
• Stays on Microsoft backbone until it exits Microsoft
closest to the user
• Default network for all our networking services

Hot Potato routing Route via ISP network

• Cost optimized
• Routes via the ISP network
Customer Local ISP ISP network Microsoft PoP Azure Services
• Enters the Microsoft network closest to the hosted closest to service

service region
• Exits Microsoft in the same region the service is hosted
Mixed grill: Smithfield Foods runs its $15
billion pork business using a hybrid cloud
To trim the fat from its datacenter infrastructure, Smithfield Foods runs its $15
billion business in Microsoft Azure using a hybrid cloud model. In Azure, servers
and other resources are available instantly using a pay-as-you-go model, and
Azure analytics highlight inefficiencies and security vulnerabilities. With these
insights and efficiencies, Smithfield has slashed datacenter costs by 60 percent,
reduced new-application delivery from two months to one day, and bolstered
network security.

Products and services Organization size

Azure 50,000 Employees
Azure Application Insights
Azure ExpressRoute Industry
Azure Log Analytics Retailer and consumer goods

Country
United States
Dairy farmers use SAP on Azure to milk
value from enterprise resource planning
A co-op with nearly $14.6 billion in annual sales (2017), Dairy Farmers of America
(DFA) sought to increase value to its 14,500 farmer members by improving time
to value, reducing costs, and embracing modern technologies. DFA worked with
IT partner Khoj Information Technology to migrate its existing hosted SAP
platform to Microsoft Azure, with an eventual goal to migrate nearly all its IT
infrastructure to Azure. DFA has already increased performance of key
workloads, simplified integration of systems due to corporate acquisitions, and
reduced IT costs by 30 percent compared to using hosted datacenters.

Products and services Organization size

Microsoft Azure 7,000 Employees
Azure Application Gateway
Azure Data Lake Store Industry
Azure ExpressRoute Consumer goods
Azure Load Balancer
Azure Site Recovery Country
Microsoft Power BI United States
 COVID-19 accelerating digital transformation and
remote work resulting in surge in Internet and private
connectivity
A sudden rise in remote workers and their need to
confidential resources in cloud or on-premises
Ease of operations at scale
Protection against increase in cyber attacks

Trends in remote
work at scale
Remote work at scale scenarios
Enable remote work at scale with Azure Networking
• Address an increase in network utilization
• Provide reliable-secure connectivity to more employees of their company and customers
• Provide connectivity to remote locations across the globe
 Azure VPN Gateway
Azure Networking Azure Virtual WAN
services for remote Azure DDoS Protection
work at scale Azure Firewall / Firewall Manager
Azure VPN Gateway
Connecting your infrastructure to the cloud

A virtual network gateway that sends encrypted

Azure region
traffic between an Azure virtual network and on- Spoke Spoke
premises over the public Internet, or between Microsoft backbone
Azure virtual networks. Hub

VPN gateway
• Deploy and access resources within your VPN

• Supports multiple platforms, protocols, and

authentication mechanisms Internet edge Internet edge Internet edge

• Configure once to access multiple resources

On-premises and Internet
• Scale on-prem VPN by connecting it to Azure legacy apps

VPN-connected VPN-connected Point-2 site users

site site
Azure Virtual WAN
Simple, unified, global connectivity and security

Brings networking and routing functionalities under a VNet VNet VNet

single operational interface
• Brings together S2S VPN, P2S VPN, Express Route, VNET and
transitive routing under a single operational interface
VNet Connection

• Use when you need to connect multiple on-prem sites, ROBO VNet VNet
Virtual WAN
locations, PoS sites, and cloud services
• Branch connectivity via connectivity automation provided by
Virtual WAN VPN/SD-WAN partners Point-to-Site
Site-to-Site VPN VPN
• Intra cloud connectivity (transitive connectivity for Virtual
Networks) ExpressRoute

• Transit connectivity for VPN and ExpressRoute SD_WAN SD_WAN SD_WAN

CPE CPE CPE

• Security with Azure Firewall and Firewall Manager

HQ/DC Branch Branch Branch Remote Users

Virtual WAN partner ecosystem
Available now Coming soon
Azure DDoS Protection
Protect your Azure resources from Distributed Denial of Service (DDoS) attacks
Always-on monitoring and automatic network attack mitigation Integration with Azure Monitor for analytics and insights
Adaptive tuning based on platform insights in Azure Protection against the unforeseen costs of a DDoS attack
Application layer protection with Azure Application Gateway
Web Application Firewall

1 2 3 4 5

Azure global Adaptive tuning Attack analytics DDoS Rapid SLA guarantee and
network and metrics Response (DRR) cost protection

Public Internet
Azure
Public IP 1 Public IP 2

Spoke Central VNET Spoke DDoS Protection

Standard
VNET Inbound / VNET
Inbound
Outbound

Azure DDoS

Web Application 1

Adaptive
Azure Firewall Azure WAF Tuning Web Application 2
Engine
Azure Firewall
Cloud-native network security to protect your Azure Virtual Network resources

User configuration Microsoft Threat Intelligence

Stateful firewall as a service L3-L7 connectivity policies Known malicious IPs and FQDNs

Built-in high availability with unrestricted cloud scalability Spoke 1

Ability to centrally create, enforce, and log application

and network connectivity policies Central VNet
Threat intel, NAT, network
and application traffic
Threat intelligence-based filtering filtering rules allows
inbound/ outbound access

Source and destination Network Address Translation

(SNAT and DNAT) support
Spoke 2 Azure Firewall
Fully integrated with Azure Monitor for logging and Traffic is denied
by default
analytics
Azure to on-prem
Support for hybrid connectivity through deployment traffic filtering

behind VPN and ExpressRoute Gateways

On-Premises
Spoke VNets
Azure Firewall Manager Preview
Central deployment and configuration for Azure Firewall

Updates Azure region 1 Azure region N

Global admin

Recently released in preview (Nov 2019) Global policy

Local admin
Deploy and configure multiple Azure Firewall instances
Automated routing through Secured Hub for filtering and logging
Integration with 3rd party Advanced Security Partners
VNet

Azure Firewall Azure Firewall

RSA Announcement (18th February 2020)
Hub virtual network(Vnet) support

Secured vHub Hub VNet

Coming next (tentative ETA Q2-Q3 CY2020)
Split Routing – optimized O365 and Azure public PaaS access
UDR default route automation for Hub VNet support
Virtual WAN VPN ER / VPN
ER/VPN

HQ/ End-user Datacenter

branch devices
 More internet facing apps, that need to be secure by
default and ready to adapt and scale
CDNs evolving from file caching networks to security
led, application accelerators fully customizable with
compute@edge
Network performance can contribute to > 60% of
API transaction / page load time
Data transaction and bandwidth charges can be >
Trends in secure global 50% of overall app costs

app delivery
Internet Web Traffic
By 2022, CDNs will carry

72% of Internet
50+%
BOTs

Web Performance

Page load 1s->5s | User bounce 90%

Secure global app delivery scenarios
Secure and ensures the reliability of your external-facing resources such as websites, APIs,
and applications​

Deliver fast and reliable content - Optimally delivers content helping your workload scale,
keep devices up to date, move data to data lake​

Build globally scalable applications - Reliably handle issues like bursts of traffic, changing
platform and client software, and malicious attacks.​

Use Opex model to reduce costs - Right-size to your usage requirements by paying only for
what you need, moving from CAPEX to OPEX consumption.​
 Azure CDN

Azure Networking Azure Front Door

services for secure Azure Web Application Firewall

global app delivery Azure App Gateway

Azure DNS
Azure CDN
A global, scalable and secure CDN solution

Deliver static content like images, style sheets,

documents, and HTML pages Azure CDN
from Verizon
Deliver content faster and with lower latency,
regardless of users’ geographic location. Cache content
on the CDN / Edge for min 30% boost in global
performance vs. delivery from Storage / Compute Azure CDN
from Microsoft
Reduce web app load by letting CDN handle content
service requests
Scale static apps to > 100x with up to 80% cost savings
by delivering from CDN / Edge, migrate content from Azure CDN
From Akamai
on-prem to cloud
Azure Front Door
Global application acceleration and content delivery

Define, manage, and monitor global routing of your web

traffic by optimizing for best performance and enabling Edge Location Azure Region
instant failover for high availability.
Media Services
Ingest, Encoding,
Global HA, BCDR - Enable fast-failover for regional services, Unmetered
Personalization,
Security, Analytics
microservices at the Edge with active path monitoring egress

Ingest
Security at the Edge - Stop threats where they come from at
the Edge with DDoS protection and customizable WAF stream.contoso.com

Faster apps - Reduce latency and increase throughput for Storage

apps by offloading SSL at the Edge and accelerating requests
Deliver and scale global web apps with an http(s) load
balancer
Integrated static content caching
Microsoft Global Network
Global app dashboard, service insights
Azure Web Application Firewall
A cloud-native web application firewall (WAF) service that provides powerful protection for web apps

Highly available, autoscaling, fully platform managed

Native in region and intra-VNet/hybrid integration VM/VMSS

Support public IP, private IPs, cross region, or on-

SQLi/XSS attack
premises backend pools
WAF
OWASP top 10 out of box protection Azure App
Service
CRS 2.2.9, CRS 3.0, CRS 3.1 (upcoming) Valid request
Custom Rules supported

Rule configurability, exclusion lists, different rules sets,

anomaly scoring Azure Kubernetes
Crawler/Scraper Service
L7 LB
Near real time monitoring/alerting with Azure Monitor,
Azure Security Center integration, Azure Sentinel
integration
On-Premises

Application Gateway & WAF

Azure App Gateway
Build secure, scalable, and highly available web front ends in Azure
Scale out at load

Platform-managed, scalable, and highly available Static VIP

application delivery controller as a service
Centralized SSL offload and SSL policy Azure Key
Vault
Min capacity Max capacity
99.95 percent uptime service-level agreement for
multi-instance deployments
Support for cookie-based session affinity
Customizable layer 7 load-balancing solution
Support for public, private, and hybrid websites AZ1 AZ2
Azure App Service

Integrated web application firewall

AKS VMSS
Management through Azure APIs
On-Premises

Autoscaling, improved performance

and faster provisioning
Azure DNS
Host your domain in Azure for outstanding performance and availability

DNS hosted alongside your apps

Ultra-high availability
Accelerate your apps with fast DNS queries
Resource
Get DNS updates without the wait
Web App
Supports all common DNS record types
Lookup

Browser
Azure DNS
Azure Bastion
Private and fully managed RDP and SSH access to your virtual machines

Connect your RDP and SSH sessions directly

in the Azure Portal using a single click
experience
Private IP NSG
Log into your Azure virtual machines and Port: 3389/22

avoid public Internet exposure using SSH and Remote protocol Azure VM
RDP with private IP addresses only (RDP, SSH)

Integrate and traverse existing firewalls and TLS

security perimeter using a modern HTML5 Azure VM

based web client and standard SSL ports

TLS
NSG
Use your SSH keys for authentication when 443, Internet Azure VM
Azure portal Azure Bastion
logging into your Azure virtual machines Target VM subnet(s)
Azure BastionSubnet

Virtual Network
Azure Private Link
Private access to services hosted on the Azure platform, keeping your data on the Microsoft network

Private connectivity to services on Azure—traffic

remains on the Microsoft network, with no public
internet access
NSG
Integration with on-premises and peered networks
Protection against data exfiltration for Azure
resources Azure Private Link
Compute Private Endpoint Only access
Services delivered directly to your customers’ virtual mapped resources

networks
Digital agency creates AI chatbot to help simplify
customer engagements and transactions
Situation: Plastic Havas, a digital agency, helps their clients better engage with their
consumers by delivering digital experiences across web, mobile, app or screen.
Solution: Leveraging out-of-the-box Microsoft Azure services, Plastic Havas created a
simple, scalable, and responsive mobile AI Chatbot that can be used across a variety of
industries.
Impact: The mobile solution aims to simplify quick transactions and processes that users
go through every day, to help create meaningful experiences between users and their
favorite brands or companies.

“There's actually quite a wealth of Microsoft AI services that are

a part of this build that helped make sure our build is scalable,
can move and grow as we need to, and is responsive.”
Opi Marok, VP Strategic Partnerships, Plastic Havas

Products and services Organization size

Azure Bot Service (AI) Azure Language Understanding Medium (50-999 Employees)
Azure Data Factory Intelligent Service (LUIS)
Azure Front Door Azure Machine Learning Industry Country
Azure Functions Azure SQL Database Consumer goods Canada
Azure Storage
Nutritional supplement company fortifies systems
at 90 percent savings with Microsoft Azure
Situation: Nature’s Sunshine struggled with a buildup of disparate solutions, an ERP
system that didn’t deliver expected results, an expensive CDN, and worries about the
company’s reputation. It needed the performance possible with a modernized
infrastructure.
Solution: Based on its existing Microsoft Azure Active Directory deployment, the company
switched to Azure services like Azure DevOps, Azure Kubernetes Service (AKS), Azure App
Service, and Azure Cosmos DB. And with Azure Content Delivery Network, the team
delivers content quickly and highly securely.
Impact: Nature’s Sunshine saved 90 percent on its costs after replacing its existing
CDN service with Azure Content Delivery Network. And the company continues to
use a spectrum of Azure services, slicing development and delivery times and pleasing
customers.

“After shifting our payment service to Azure, we saw a drop of

nearly a thousand exceptions. We couldn’t have delivered that
result without Azure.”
Nate Langston, Executive Director of Software Engineering, Nature’s Sunshine

Products and services Organization size

Microsoft Azure Azure Cosmos DB Medium (50-999 Employees)
Azure Active Directory Azure DevOps
Azure Kubernetes Service (AKS) Industry Country
Azure App Service
Azure Content Delivery Network Azure Monitor Retailers United States
 Edge connectivity in limited connectivity scenarios
Cloud computing coming to the edge
Trends in edge IoT/connected devices will process data closer to the

computing edge
AR/VR edge compute
Edge analytics by collecting and analyzing data at the
sensor, device, or touch point
Edge compute scenarios

Better, more responsive and robust application performance

Predictive maintenance with Industrial IoT

Connected home and office

Conserving network and computing resources

Reducing latency
Azure Networking Azure Edge Zones

services for edge Azure Edge Zones by carrier

computing Azure Private Edge Zones

Azure Edge Zones
Ultra-low latency compute—enabling new scenarios with Azure, 5G, and carrier partners

a a a
5G a
5G

Azure Stack Edge

Azure regions Azure Edge Zones Azure Edge Zones with carrier Azure Private Edge Zones

Consistent Azure services, app platform, management, and security

Ultra-low latency compute
‘Breaking the barriers between the cloud and the edge’

Edge Zones at Edge Zones in carrier Private Edge Zones in

MS POPs datacenter customer’s premises

DevOps IoT
Media

Data Processing Connected Cars Smart Factories

IoT Online gaming Smart Agriculture

Events/Cashless Security

IoT Robotics

Tele-medicine Warehousing

Azure Datacenters Azure Edge Zones Azure Edge Zones with carrier Azure Private Edge Zone
Azure Edge Zones

Azure is closer to the end user

Low latency access to processing power
Connected to fast, global backbone
Provision and manage your services through the Azure Portal

Low-latency compute are local extensions of Azure providing

compute, storage and services closer to customers.
Azure Edge Zones by carrier

Boost application performance

Manage through single pane of glass
Azure is closer to the end user
Telcos’ DCs & Microsoft PoP sites
Optimized for multitenant deployments
Larger scale workloads and scalable mobile reach
Usage-based consumption of services

Ultra-low latency direct application access to 5G networks and

subscribers through Edge Zones located with leading carriers and
Telcos.
Azure Private Edge Zones
Bring Azure experience closer to the user

Based on Azure Stack Edge

Customers on-premises
Optimized for single tenant deployments
Scales from 1U to racks, other formfactors
Pay as you go hardware and services

Private ultra-low latency and high bandwidth network

solution that creates a 5G network on-premises with
Azure Stack Edge.
Edge Zone and Private Edge Zone carrier partners
 Automation of network attack alerts

Trends in secure Hybrid infrastructure security

network infrastructure High availability and performance for apps
Secure network infrastructure scenarios
Secure access

App traffic security over the network

Protecting from common attacks (DDOS)

Security at the edge locations

 Azure Virtual Network

Azure Load Balancer

Azure Networking services Azure Monitoring
for a secure infrastructure Azure Firewall / Firewall Manager

Azure DDoS
Azure Virtual Network
Your private network in the cloud Hub VNet

Build a hybrid infrastructure that you control

Bring your own IP addresses and DNS servers
Secure your connections with an IPsec VPN or
ExpressRoute NVA Transit Gateway Transit
UDR
Get granular control over traffic between subnets
DMZ BE
NSG
Create sophisticated network topologies using virtual
appliances
App1 VNet App2 VNet
Get an isolated and highly-secure environment for
your applications Network Security Group (NSG)
Action Name Source Destination Port

Allow WebRule Internet WebServers 80,443(HTTP)

Allow AppRule1 Web1 App1 443 (HTTPS)

Allow DbRule1 App1 Db1 1443 (MSSQL)

Allow AppRule2 Web2 App2 443 (HTTPS)

Allow DbRule2 App2 Db2 1443 (MSSQL)

Deny Deny all inbound Any Any Any

Azure Load Balancer
Deliver high availability and network performance to your applications

Instantly add scale to your applications

Internet
Load balance Internet and private network traffic
Improve application reliability via health checks
Flexible NAT rules for better security Azure traffic manager (DNS load balancer)

Directly integrated into virtual machines and

cloud services ALB (L4 load balancer) ALB (L4 load balancer)
Native IPv6 support

Application Application Application Application

Gateway Gateway Gateway Gateway

VM VM VM VM VM VM VM VM
Azure Monitoring
Maximize the availability and performance of your applications and services

Azure Monitor
Detect and diagnose issues across applications and
dependencies with Application Insights. Insights

Application Container VM Monitoring

Correlate infrastructure issues with Azure Monitor Solutions
for VMs and Azure Monitor for Containers.
Application
Visualize
Drill into your monitoring data with Log Analytics
Operating System
for troubleshooting and deep diagnostics. Dashboards Views Power BI Workbooks

Azure Resources Metrics

Support operations at scale with smart alerts and Analyze
automated actions. Azure Subscription
Metric Analytics Log Analytics

Create visualizations with Azure dashboards and Azure Tenant Logs

workbooks. Respond
Custom Sources
Alerts Autoscale

Integrate

Logic Apps Export APIs

Azure Firewall
Cloud-native network security to protect your Azure Virtual Network resources

User configuration Microsoft Threat Intelligence

Stateful firewall as a service L3-L7 connectivity policies Known malicious IPs and FQDNs

Built-in high availability with unrestricted cloud scalability Spoke 1

Ability to centrally create, enforce, and log application

and network connectivity policies Central VNet
Threat intel, NAT, network
and application traffic
Threat intelligence-based filtering filtering rules allows
inbound/ outbound access

Source and destination Network Address Translation

(SNAT and DNAT) support
Spoke 2 Azure Firewall
Fully integrated with Azure Monitor for logging and Traffic is denied
by default
analytics
Azure to on-prem
Support for hybrid connectivity through deployment traffic filtering

behind VPN and ExpressRoute Gateways

On-Premises
Spoke VNets
Azure Firewall Manager Preview
Central deployment and configuration for Azure Firewall

Updates Azure region 1 Azure region N

Global admin

Recently released in preview (Nov 2019) Global policy

Local admin
Deploy and configure multiple Azure Firewall instances
Automated routing through Secured Hub for filtering and logging
Integration with 3rd party Advanced Security Partners
VNet

Azure Firewall Azure Firewall

RSA Announcement (18th February 2020)
Hub virtual network(Vnet) support

Secured vHub Hub VNet

Coming next (tentative ETA Q2-Q3 CY2020)
Split Routing – optimized O365 and Azure public PaaS access
UDR default route automation for Hub VNet support
Virtual WAN VPN ER / VPN
ER/VPN

HQ/ End-user Datacenter

branch devices
Azure DDoS Protection
Protect your Azure resources from Distributed Denial of Service (DDoS) attacks
Always-on monitoring and automatic network attack mitigation Integration with Azure Monitor for analytics and insights
Adaptive tuning based on platform insights in Azure Protection against the unforeseen costs of a DDoS attack
Application layer protection with Azure Application Gateway
Web Application Firewall

1 2 3 4 5

Azure global Adaptive tuning Attack analytics DDoS Rapid SLA guarantee and
network and metrics Response (DRR) cost protection

Public Internet
Azure
Public IP 1 Public IP 2

Spoke Central VNET Spoke DDoS Protection

Standard
VNET Inbound / VNET
Inbound
Outbound

Azure DDoS

Web Application 1

Adaptive
Azure Firewall Azure WAF Tuning Web Application 2
Engine
Azure Networking Managed Services Partners (MSP)
MSP offerings available in Azure Marketplace simplify customer experience
Get started now
Explore Azure Networking services and how to get started:
Learn more about Azure Networking

Azure ExpressRoute Azure CDN

Connect with VPN partners for connectivity
Azure ExpressRoute Global Azure Front Door
Connect with Azure Virtual WAN Azure Web Application Firewall

Virtual WAN partners for connectivity Azure VPN Gateway Azure App Gateway
Azure Peering Service Azure DNS
Connect with CDN partners Azure Orbital Azure Bastion
Azure Firewall Azure Private Link
Learn more about ExpressRoute for connectivity
Azure Firewall Manager Preview Azure Virtual Network
Azure DDoS Protection Azure Load Balancer
Learn more about Edge and Telco partnerships
Azure Edge Zones Azure Monitoring