Cloud and Datacenter Management Blog

Microsoft Hybrid Cloud blogsite about Management


Leave a comment

#Microsoft Azure virtual datacenter HUB-Spoke Model: A network perspective #Cloud #Azure #Security

Microsoft Azure HUB-Spoke Model

When you have your Microsoft Azure Architectural Design in place like a HUB-Spoke model this Microsoft documentation can help you with the Security and networking design in Microsoft Azure Cloud services.

The Virtual Data Center (VDC) isn’t just the application workloads in the cloud. It’s also the network, security, management, and infrastructure. Examples are DNS and directory services. It usually provides a private connection back to an on-premises network or datacenter. As more and more workloads move to Azure, it’s important to think about the supporting infrastructure and objects that these workloads are placed in. Think carefully about how resources are structured to avoid the proliferation of hundreds of workload islands that must be managed separately with independent data flow, security models, and compliance challenges.

Read this Awesome Microsoft Azure Virtual Data Center documentation from a Network perspective here

Conclusion :

When you have your Microsoft Azure High Level Design, get your security and network in Azure in place in a manageable way for your Cloud Administrators and your Business. Here are some tips:

  • Understand the data workflows in your Azure Virtual Data Center.
  • Make a Detailed network and security design (Low level)
  • Keep it Simple but Secure.
  • Before you go into production, do a Security assessment (Pentest) by 3rd party Professionals
    ( For example via Company CQURE )

 


Leave a comment

Get Started with Microsoft #MSOMS Network Performance (Preview)

network-performance-monitor-preview

OMS Network Performance Monitor (Preview)

This blogpost describes how to set-up and use the Network Performance Monitor solution in OMS, which helps you monitor the performance of your networks-in near real-time-to detect and locate network performance bottlenecks. With the Network Performance Monitor solution, you can monitor the loss and latency between two networks, subnets or servers. Network Performance Monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods are not able to detect. Network Performance Monitor generates alerts and notifies as and when a threshold is breached for a network link. These thresholds can be learned automatically by the system or you can configure them to use custom alert rules. Network Performance Monitor ensures timely detection of network performance issues and localizes the source of the problem to a particular network segment or device.+

You can detect network issues with the solution dashboard which displays summarized information about your network including recent network health events, unhealthy network links, and subnetwork links that are facing high packet loss and latency. You can drill-down into a network link to view the current health status of subnetwork links as well as node-to-node links. You can also view the historical trend of loss and latency at the network, subnetwork, and node-to-node level. You can detect transient network issues by viewing historical trend charts for packet loss and latency and locate network bottlenecks on a topology map. The interactive topology graph allows you to visualize the hop-by-hop network routes and determine the source of the problem. Like any other solutions, you can use Log Search for various analytics requirements to create custom reports based on the data collected by Network Performance Monitor.+

The solution uses synthetic transactions as a primary mechanism to detect network faults. So, you can use it without regard for a specific network device’s vendor or model. It works across on-premises, cloud (IaaS), and hybrid environments. The solution automatically discovers the network topology and various routes in your network.+

Typical network monitoring products focus on monitoring the network device (routers, switches etc.) health but do not provide insights into the actual quality of network connectivity between two points, which Network Performance Monitor does.

If you are new with Microsoft Operations Management Suite, you can download here a Free OMS Subscription Plan to try it your Self

oms-network-performance-2

When you have added the Microsoft OMS Network Performance Monitor (Preview) to your Dashboard you have to install OMS agents and configure them in an easy way to start the Network Performance solution and getting results.

  1. Install OMS Agents.
  2. Configure OMS Agents
  3. Create your Networks.

1. Install OMS Agents :

In order to work with OMS, OMS agents are required to be installed on all servers of interest.

NPM requires agents to be installed on at least 2 servers to monitor the connectivity between them. We recommend that for every subnet that you want to monitor, select two or more servers and install the agent on them. If you are unsure about the topology of your network, simply install the agents on critical workloads for which you want to monitor the network performance.

connected-resources

Here you can download your OMS Agent for your Server

If you are deploying using SCOM you should ignore step 1 and jump directly to step 2

Once the NPM solution is enabled on your OMS workspace the required management packs for NPM will automatically flow down to the machines that are connected to OMS via SCOM.

In case you want to connect SCOM with OMS but haven’t figured out how to do it yet, click on the link below.
oms-operations-manager-connectionHow to Connect SCOM to OMS

2. Configure OMS agents :

Firewall ports are required to be opened on the servers so that the agents can connect to each other.

Run the script without any parameters in a power shell window with administrative privileges. This script creates few registry keys required by NPM and creates windows firewall rules to allow agents to create TCP connections with each other

The port opened by default would be 8084. You have the option of using a custom port by providing the parameter ‘portNumber’ to the script. However, the same port should be used on all the machines where the script is executed.

Note that the script will configure only windows firewall locally. If you have a network firewall you should make sure that it is allowing traffic destined for the TCP port being used by NPM

network-powershell-script

Run the Powershell script as Administrator on your Servers.

3. Create your Networks :

A ‘Network’ in NPM is a container for a bunch of subnets. The Default network is the container for all the subnets that are not contained in any user defined network. In the most likely case the subnets in your organization will be arranged in more than one network and you should create one or more network to logically group your subnets.

You can create network with any name that meets your business requirements and add the subnets to the network.

Once you have saved the configuration for the first time, the solution will start collecting network data. The process usually takes a while. Once the data has been uploaded you should be able to see the solution dashboard with data and graphs. At this point the setup is complete and you can start using the solution

The OMS Performance Monitor Solution needs time to get the information of your network.

after-powershell-script

oms-network-performance-3

I have only one network in my lab environment

oms-network-performance-4

OMS Network Performance Monitor (Preview)

oms-network-performance-5

The issue here is that my switches are not IP V6 ready 😦

trends-in-schedule

After a view days analytics you can make your own custom view

oms-network-performance-7

Here you can plot network performance issues between two Servers

oms-network-performance-8

Everything is fine here 🙂

oms-network-performance-9

When something is wrong you can go directly to the View Node Logs.

oms-network-performance-10

OMS Log analytics results of your Server

When you have a large network with a lot of HOPS like switches and routers you can see where you have latency :

npm-investigation

The OMS NPM solution is still in preview but you can test it in your test environment to learn and get a better network by eliminating your network issues.
When you use the OMS Gateway on-premises you can connect your Servers to Operations Management Suite, here you
find my blogpost for the installation and configuration :

Hybrid IT Connect computers and devices to #MSOMS using the OMS Gateway

Hope this blogpost is useful for you to get your network in Control with Hybrid IT Management of OMS Services.

SCUG Banner


Leave a comment

UPDATE : #Microsoft Azure ExpressRoute Overview #Azure #Cloud #HybridCloud

expressroute-basic

Microsoft Azure ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a dedicated private connection facilitated by a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services, such as Microsoft Azure, Office 365, and CRM Online. Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network, or a virtual cross-connection through a connectivity provider at a co-location facility. ExpressRoute connections do not go over the public Internet. This allows ExpressRoute connections to offer more reliability, faster speeds, lower latencies, and higher security than typical connections over the Internet.

Key benefits include:

  • Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider. Connectivity can be from an any-to-any (IPVPN) network, a point-to-point Ethernet connection, or through a virtual cross-connection via an Ethernet exchange.
  • Connectivity to Microsoft cloud services across all regions in the geopolitical region.
  • Global connectivity to Microsoft services across all regions with ExpressRoute premium add-on.
  • Dynamic routing between your network and Microsoft over industry standard protocols (BGP).
  • Built-in redundancy in every peering location for higher reliability.
  • Connection uptime SLA.
  • QoS and support for multiple classes of service for special applications, such as Skype for Business.

See the ExpressRoute FAQ for more details.

expressroute-connectivitymodels

How can I connect my network to Microsoft using ExpressRoute?

You can create a connection between your on-premises network and the Microsoft cloud in three different ways

  1. Co-located at a cloud exchange. If you are co-located in a facility with a cloud exchange, you can order virtual cross-connections to the Microsoft cloud through the co-location provider’s Ethernet exchange. Co-location providers can offer either Layer 2 cross-connections, or managed Layer 3 cross-connections between your infrastructure in the co-location facility and the Microsoft cloud.
  2. Point-to-point Ethernet connections. You can connect your on-premises datacenters/offices to the Microsoft cloud through point-to-point Ethernet links. Point-to-point Ethernet providers can offer Layer 2 connections, or managed Layer 3 connections between your site and the Microsoft cloud.
  3. Any-to-any (IPVPN) networks. You can integrate your WAN with the Microsoft cloud. IPVPN providers (typically MPLS VPN) offer any-to-any connectivity between your branch offices and datacenters. The Microsoft cloud can be interconnected to your WAN to make it look just like any other branch office. WAN providers typically offer managed Layer 3 connectivity.

ExpressRoute capabilities and features are all identical across all of the above connectivity models. Connectivity providers can offer one or more connectivity models from the above list. You can work with your connectivity provider to pick the model that works best for you.

ExpressRoute features

ExpressRoute supports the following features and capabilities.

Layer 3 connectivity

Microsoft uses industry standard dynamic routing protocol (BGP) to exchange routes between your on-premises network, your instances in Azure, and Microsoft public addresses. We establish multiple BGP sessions with your network for different traffic profiles. More details can be found in the ExpressRoute circuit and routing domains article.

Redundancy

Each ExpressRoute circuit consists of two connections to two Microsoft Enterprise edge routers (MSEEs) from the connectivity provider / your network edge. Microsoft will require dual BGP connection from the connectivity provider / your side – one to each MSEE. You may choose not to deploy redundant devices / Ethernet circuits at your end. However, connectivity providers use redundant devices to ensure that your connections are handed off to Microsoft in a redundant manner. A redundant Layer 3 connectivity configuration is a requirement for our SLA to be valid.

Connectivity to Microsoft cloud services

ExpressRoute connections enable access to the following services.

  • Microsoft Azure services
  • Microsoft Office 365 services
  • Microsoft CRM Online services (coming soon)

You can visit the ExpressRoute FAQ page for a detailed list of services supported over ExpressRoute.

Connectivity to all regions within a geopolitical region

You can connect to Microsoft in one of our peering locations and have access to all regions within the geopolitical region.

For example, if you connected to Microsoft in Amsterdam through ExpressRoute, you will have access to all Microsoft cloud services hosted in Northern Europe and Western Europe. Refer to the ExpressRoute partners and peering locations article for an overview of the geopolitical regions, associated Microsoft cloud regions, and corresponding ExpressRoute peering locations.

Global connectivity with ExpressRoute premium add-on

You can enable the ExpressRoute premium add-on feature to extend connectivity across geopolitical boundaries. For example, if you are connected to Microsoft in Amsterdam through ExpressRoute, you will have access to all Microsoft cloud services hosted in all regions across the world (national clouds are excluded). You can access services deployed in South America or Australia the same way you access the North and West Europe regions.

Rich connectivity partner ecosystem

ExpressRoute has a constantly growing ecosystem of connectivity providers and SI partners. You can refer to the ExpressRoute providers and locations article for the latest information.

Connectivity to national clouds

Microsoft operates isolated cloud environments for special geopolitical regions and customer segments. Refer to the ExpressRoute providers and locations page for a list of national clouds and providers.

Supported bandwidth options

You can purchase ExpressRoute circuits for a wide range of bandwidths. The list of supported bandwidths are listed below. Be sure to check with your connectivity provider to determine the list of supported bandwidths they provide.

  • 50 Mbps
  • 100 Mbps
  • 200 Mbps
  • 500 Mbps
  • 1 Gbps
  • 2 Gbps
  • 5 Gbps
  • 10 Gbps

Dynamic scaling of bandwidth

You have the ability to increase the ExpressRoute circuit bandwidth (on a best effort basis) without having to tear down your connections.

Flexible billing models

You can pick a billing model that works best for you. Choose between the billing models listed below. Refer to the ExpressRoute FAQ page for more details.

  • Unlimited data. The ExpressRoute circuit is charged based on a monthly fee, and all inbound and outbound data transfer is included free of charge.
  • Metered data. The ExpressRoute circuit is charged based on a monthly fee. All inbound data transfer is free of charge. Outbound data transfer is charged per GB of data transfer. Data transfer rates vary by region.
  • ExpressRoute premium add-on. The ExpressRoute premium is an add-on over the ExpressRoute circuit. The ExpressRoute premium add-on provides the following capabilities:
    • Increased route limits for Azure public and Azure private peering from 4,000 routes to 10,000 routes.
    • Global connectivity for services. An ExpressRoute circuit created in any region (excluding national clouds) will have access to resources across any other region in the world. For example, a virtual network created in West Europe can be accessed through an ExpressRoute circuit provisioned in Silicon Valley.
    • Increased number of VNet links per ExpressRoute circuit from 10 to a larger limit, depending on the bandwidth of the circuit.

Here you can read more about Microsoft Azure ExpressRoute

Video Published on May 14, 2015

This session provides an overview of Hybrid Scenarios supported in Microsoft Azure. Come and learn about how Microsoft Azure ExpressRoute enables you to extend your network to Microsoft and enable Hybrid Scenarios for your Enterprise. Learn about how you can plan for connectivity to Office 365 services over ExpressRoute. Hybrid Scenarios change the volume and nature of traffic flows within and outside a corporate network. Find out how the Microsoft IT addressed these challenges using ExpressRoute.


Leave a comment

New in Windows Server Technical Preview, Network Controller #Winserv #SDN #Hyperv #NetworkController

Network Controller

New in Windows Server  Technical Preview, Network Controller provides a centralized, programmable point of automation to manage, configure, monitor, and troubleshoot virtual and physical network infrastructure in your datacenter. Using Network Controller, you can automate the configuration of network infrastructure instead of performing manual configuration of network devices and services.

Network Controller Features

The following Network Controller features allow you to configure and manage virtual and physical network devices and services.

  • Fabric Network Management
  • Firewall Management
  • Network Monitoring
  • Network Topology and Discovery Management
  • Service Chaining Management
  • Software Load Balancer Management
  • Virtual Network Management
  • Windows Server Gateway Management

Fabric Network Management

This Network Controller feature allows you to easily manage the fabric, or physical network, for your datacenter stamp or cluster. Using this feature, you can configure IP subnets, virtual Local Area Networks (VLANs), Layer 2 and Layer 3 switches, and network adapters installed in host computers.

Fabric network management includes planning, designing, implementation, and auditing of the fabric network resources and network infrastructure services.

Firewall Management

This Network Controller feature allows you to configure and manage allow/deny firewall Access Control rules for your workload VMs for both East/West and North/South network traffic in your datacenter. The firewall rules are plumbed in the vSwitch port of workload VMs, and so they are distributed across your workload in the datacenter. Using the Northbound API, you can define the firewall rules for both incoming and outgoing traffic from the workload VM. You can also configure each firewall rule to log the traffic that was allowed or denied by the rule.

Network Monitoring

This Network Controller feature allows you to monitor the physical and virtual network in your datacenter stamp or cluster. The Network Monitoring service uses the network object model, provided by the topology service, to determine the network devices and links to be monitored. Physical network monitoring is performed using both active network and element data.

Active network data, such as network loss and latency, is detected by sending network traffic and measuring round-trip time. The Network Monitoring service automatically determines the network points between which traffic must be sent, the quantum of traffic to be sent in order to cover all network paths, and also the loss/latency baseline and deviations over a period of time. A key aspect of this solution is fault localization. The Network Monitoring service attempts to localize devices that are causing network loss and latency. The solution leverages advanced algorithms to identify both network paths and devices in the paths that are causing performance degradation.

Element data is collected using Simple Network Management Protocol (SNMP) polling and traps. The monitoring service collects a limited set of critical data available through public management information bases (MIBs). For example, the service monitors link state, system restarts, and Border Gateway Protocol (BGP) peer status.

The monitoring system reports health of both devices and device groups. Health is reported based on both active and element data. Devices are, for example, physical switches and routers. Device groups are a combination of physical devices which has some relevance within the datacenter. For instance, device groups can be racks or subnets or simply host groups. In addition to providing health information, the monitoring service also reports vital statistics such as network loss, latency, device CPU/memory usages, link utilization, and packet drops.

The Network Monitoring service also performs impact analysis. Impact analysis is the process of identifying overlay networks affected by the underlying faulty physical networks. The service uses topology information to determine virtual network footprint and to report the health of impacted virtual networks. For example, if a host loses network connectivity, the system marks all virtual networks on this host and that are connected to the faulty network as impacted. Similarly, if a rack loses uplink connectivity to the core network, the system determines the logical network affected and marks all virtual networks in this rack and connected to the affected logical network as impacted.

Finally, the system integrates with the SCOM server to report both health and statistics data. Health is reported in an aggregated manner making it easy to traverse and understand key issues.

Network Topology and Discovery Management

This Network Controller feature allows you to automatically discover network elements in the cloud datacenter network. Network Topology and Discovery also determines how network devices are interconnected to build a topology and dependency map.

Service Chaining Management

This Network Controller feature allows you to create rules that redirect network traffic to one or more VMs that are configured as virtual appliances. There are many types of virtual appliances, such as firewall appliances, security appliances that perform deep packet inspection, and antivirus appliances. You can obtain these VM-based virtual appliances from a wide variety of independent software vendors (ISVs).

Software Load Balancer Management

This Network Controller feature allows you to enable multiple servers to host the same workload, providing high availability and scalability.

Virtual Network Management

This Network Controller feature allows you to deploy and configure Hyper-V Network Virtualization, including the Hyper-V Virtual Switch and virtual network adapters on individual VMs, and to store and distribute virtual network policies.

Network Controller supports both Network Virtualization Generic Routing Encapsulation (NVGRE) and Virtual Extensible Local Area Network (VXLAN).

Windows Server Gateway Management

This Network Controller feature allows you to deploy, configure, and manage Hyper-V hosts and virtual machines (VMs) that are members of a Windows Server Gateway cluster, providing gateway services to your tenants. Network Controller allows you to automatically deploy VMs running Windows Server Gateway, which is also called the Routing and Remote Access Service (RRAS) Multitenant Gateway, with the following gateway features:

  • Add and remove gateway VMs from the cluster and specify the level of backup required.
  • Site-to-site virtual private network (VPN) gateway connectivity between remote tenant networks and your datacenter using IPsec.
  • Site-to-site VPN gateway connectivity between remote tenant networks and your datacenter using Generic Routing Encapsulation (GRE).
  • Point-to-site VPN gateway connectivity so that your tenants’ administrators can access their resources on your datacenter from anywhere.
  • Layer 3 forwarding capability.
  • Border Gateway Protocol (BGP) routing, which allows you to manage the routing of network traffic between your tenants’ VM networks and their remote sites.

Network Controller is capable of dual-tunnel configuration of site-to-site VPN gateways and the automatic placement of tunnel end-points on separate gateways. In addition, Network Controller can load balance site-to-site and point-to-site VPN connections between gateway VMS, as well as logging configuration and state changes by using logging services.

For more information on BGP, see Border Gateway Protocol (BGP) Overview.

For more information on the RRAS Multitenant Gateway, see Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.

For more information on Windows Server Gateway, see Windows Server Gateway