Original: Http://www.infoq.com/cn/articles/azure-networking-tips
This article shares the experience of using Microsoft Azure network services from a product design and architecture perspective, and hopefully you will be able to understand these services in order to better design your architecture after reading this article.
Microsoft Azure's network architecture is designed specifically for enterprise private and hybrid clouds, and includes three common services:
- Virtual network: Connect to local network and cloud infrastructure
- Traffic Manager (traffic manager): Assigning user traffic to different datacenters
- Name resolution service (DNS): Parsing with internal hostname as a cloud service
Below, I'll focus on what to look for when using these three services, as well as some other aspects to be aware of when using Microsoft Azure network services, such as site-to-site VPN security settings, use of private IP addresses and shared IP addresses, use of BGP networks, How the network latency problem is handled, and so on.
Pre-read notes
Microsoft Azure uses some unique terminology, two of which require special attention:
VIP (Virtual IP address): A public IP address on the Azure network that is used to connect virtual machines in an Azure virtual network from an extranet. This VIP is not a virtual IP address in a Network Load Balancing NLB solution.
DIP (direct IP): The actual IP address assigned by DHCP to use for virtual machines in a virtual network. This dip is not an NLB dip.
Virtual Networks ( Virtual Network )
Virtual networks can be used to create and manage IPv4 address spaces. You can establish a secure VPN connection between your local intranet and your virtual network, or you can connect your cloud application to your local network.
Virtual networks can be used to establish a connection between virtual machines. It is important to note that you need to create a virtual network first and then associate it with the virtual network that you have created when you create the virtual machine. In the same vein, virtual networks can also establish a connection between cloud services, which has the advantage of allowing the virtual machines under different cloud services to communicate with each other through private IPv4 addresses.
It is also important to note that you must first create the affinity group (Affinity Group) before you create the virtual network for the first time, because virtual networks without affinity affinity groups are not optimized. An affinity group is a logical grouping of Microsoft Azure for locating services, such as the East China region. If we create a storage service in the same affinity group in the future, the performance of the storage service is more optimized for other cloud services within the group.
When you create an Azure virtual network, you need to use a private IP addressing scheme instead of using a shared IP address. In addition, you need to make sure that your private network does not occupy these IPs, and you cannot have overlapping IP addresses.
Azure's egress in the datacenter is using BGP networks, and the virtual network currently does not support internal use of Gateway NLB. If you want to achieve high availability, you can only rely on other methods or hardware, such as hardware backup, when the primary VPN gateway fails to enable the backup server (such as the Windows Server 2012 Routing and Remote Access Service RRAS on the cluster).
When you create an Azure virtual network, the collection of request IP addresses represents all the aggregated sub-networks. Although you can summarize the network, there is no routing between these subnets, and there is no way to perform access control in the middle of those subnets.
In an Azure virtual network, the virtual machine uses DHCP to obtain an IP address by default. You can configure a static IP for a virtual machine, but you must create a VM using PowerShell. If you do not use DHCP, the Azure virtual network system will assume that the device is in an unknown state, causing you to be unable to connect to the virtual machine. However, although the IP addresses of virtual machines are obtained using DHCP, their IP addresses are constant during the run-unless you stop (unassign) or recreate them. If you use the Management Portal to "close" the virtual machine, the billing stops and the "unassigned" (see) is displayed, and the IP in use is freed. However, if you shut down by connecting the virtual machine's operating system, no billing will be stopped and IP will not be released.
There are several ways to connect virtual machines in an Azure virtual network. By default, each virtual machine has an RDP port and the ingress port is turned on. Note that Azure does not use the default RDP port 3389. If you don't want your virtual machine to be exposed, you can also choose to disable the port or change to a different port. Another way to connect a virtual machine is to connect to an Azure virtual network from your corporate intranet through a site-to-site VPN, which is the same way you would use a site-to-site VPN down in your branch office and head Office for RDP Connections, as described later.
If you are not on the office network, or if you do not want to connect to the office via a VPN, you can connect to the virtual machine in a "point-to-site" manner, which is equivalent to an SSTP remote access VPN, which is more secure than connecting to an Azure virtual network directly with RDP.
Traffic Manager ( Traffic Manager )
Traffic Manager is another important network service for Microsoft Azure. By using Traffic Manager, you can assign users to an "optimal" location in the Azure datacenter to ensure the performance, availability, and resiliency of your cloud applications.
Traffic Manager uses the intelligent policy engine to process DNS domain name requests. You need to create a configuration in Management Portal to use Traffic manager, and the items you need to configure include:
- Properties: Includes the prefix of the domain name you created, which is visible in the Management Portal.
- Definition: Includes detection settings for policy settings and properties.
- Policy: Used to specify the load balancing method and terminal.
- Monitor: Used to specify timeouts, protocols, ports, and associated paths.
Traffic Manager provides three load balancing methods: Performance, fault tolerance, or looping:
- Performance: Based on network latency, this approach directs traffic to the nearest data center.
- Loop: This method distributes traffic equally to each data center.
- Fault tolerance: If the primary service fails, this method directs traffic to the backup service or data center.
Current traffic Manager can support IPV6, but does not support sticky sessions, there will be no service interruption when changing policy configuration. The use of services and applications must also pay more attention to the consistency of back-end storage configurations. Traffic Manager is ideal for use in scenarios such as Web sites and services that do not constantly change static content.
DNS Domain Name Resolution
Microsoft Azure provides a domain name resolution service, but the service can only resolve instance names under the same cloud service. For example, virtual machine A and virtual machine B under Service C can be accessed directly from each other through their own full domain name (FQDN) without having to configure the DNS server externally. If your virtual machine instance is running under a different cloud service, then you need to use an external DNS solution, such as a public DNS server, a DNS server for your ISP, or a DNS server for your corporate network.
If you want to parse the name of another virtual machine, such as an Internet connection or a machine in an office network, you can add a DNS server to your Azure virtual network. Just like adding a DNS server address in DHCP options. The DNS server address assigned to the virtual machine can be either the IP address of the DNS server in the Azure virtual network, or the DNS server address of the Internet connection. If you place a domain controller in an Azure virtual network, you must also make sure that the controller also configures the DNS server on Azure.
Station Point to Station Point VPN
The solution enables organizations to quickly and securely deploy virtual machines on Microsoft Azure with a broad application perspective that can be used for development and testing: You can set up access to virtual machines from local workstations to validate and test programs, Rapid resource instantiation can help you quickly validate pending programs and other services that require secure messaging across your enterprise and public cloud.
The site-to-site VPN between the internal network and the Azure virtual network uses IPSEC tunneling mode. Note that Azure supports only specific on-premises VPN gateway devices. If you do not have a supported hardware device, you can also use the Windows Server 2012 Routing and Remote Access Service (RRAS) to create a site-to-site VPN connection. In addition, Azure supports configuring your on-premises VPN gateways with configuration scripts.
If you want to establish a site-to-site VPN using Microsoft Azure Gateway, the on-premises VPN device must support IKE V1 or IKE v2. It is important to note that Microsoft Azure only supports static routing when using IKE V1, and IKE V2 must be used to use dynamic routing features.
The effect of network delay on hybrid applications
When you build a hybrid application, whether it's porting an existing application or creating a new app service, it's important to understand the potential impact of network latency. When Azure starts exploring porting applications to hybrid mode, we quickly realize that applications may not be able to respond perfectly in mixed mode.
As an example of a classic two-tier application, the original structure, including the response time between the user, the Web server, and the database server, was a few milliseconds. If we move the Web server to Microsoft Azure, but the database service is still local, the topology will be delayed by more than 30 milliseconds, with a delay of 3 milliseconds! This delay is particularly severe in cases where large amounts of data are being transmitted at the same time as many operations. Some of the apps we've implemented will emit hundreds of redundant calls on a single page click, which must be redesigned as such.
Delays can sometimes be the "last mile" effect. For example, the result of our program testing in the data center is a delay of 1 milliseconds, but when the network foreground is ported to Microsoft Azure, the delay becomes 30 milliseconds. Therefore, extensive testing is necessary.
If you need a new hybrid Cloud app service, we'll design with latency in mind. We can also use Microsoft Azure Cache and CDN services to make the data closer to the user or to the local server as much as possible. If porting software is required, we can understand the latency in advance by using the Software network emulator. While it is difficult to accurately determine how latency affects applications, we should pay more attention to such issues at the beginning of the design architecture.
Summarize
Many companies are already aware of the potential that cloud computing can bring. However, some businesses tend to invest in internal private cloud infrastructures. Many enterprises do this primarily for security reasons, and consider that the behavior of transferring all company data to public cloud service providers is a hidden hazard. The private cloud does take full advantage of the cloud's main features, but it requires more than that for enterprises that require agility and flexibility. In this environment, hybrid cloud computing will usher in a huge investment value. Today, organizations can decide what data can be published to public cloud service providers and which data is left on-premises. Hybrid cloud computing allows businesses to get the most from two things: cloud computing and local resources.
In the past traditional data centers, enterprises must add more servers in the data center to deal with the increasing demand, and then deploy new operating systems and applications on them after purchasing hardware, which requires a long period of budget, hardware procurement and waiting for supplier delivery. On the Microsoft Azure platform, organizations can now easily scale their on-premises data centers to the cloud, and the Microsoft Azure Virtual network is the key.
Thank Ma Guoyao for the review of this article.
Experience sharing with Microsoft Azure Services Design Network architecture (GO)