Is it okay to use a single Azure Expressroute connection for both Office 365 and Cloud Infrastructure migration? My customer is moving towards O365, and later probably next year they will start moving their infrastructure assets including their developer workstations to Azure IaaS. Customer is concerned about the public internet based communication and wants to implement a secure and faster communication channel. However, I understand that just for O365 Expressroute maybe an overkill, but considering the longer term plans, I can safely suggest Expressroute. So, my questions are:
A single Expressoute connection can handle both O365 and Cloud
Infra migration?
Is there a difference in the type of circuits used for O365 and
Cloud Infra?
I would think that you can easily accomplish that depending, on how much bandwidth you are piping through the ExpressRoute
ExpressRoute for Azure and for Office365, all run off the same hardware / circuits as far as i can recall.
Great diagram for Azure ExpressRoute for O365:
https://support.office.com/en-us/article/azure-expressroute-for-office-365-6d2534a2-c19c-4a99-be5e-33a0cee5d3bd?ui=en-US&rs=en-US&ad=US
Important to note:
Some connections such as Public DNS and Content Delivery Network nodes
still require the public internet connection. Also the
users who are not located in their ExpressRoute connected
building are connecting over the Internet.
1) For sure you could use a single ExpressRoute circuit. Circuits are available with speeds from 50 Mb to 10 Gb- speeds and prices: https://azure.microsoft.com/en-au/pricing/details/expressroute/.
2) Initially, i would suggest just signing up for Microsoft peering. This will allow you to configure Route Filters with the BGP Communities relevant to Office 365 and your use case- like Exchange Online (to move mailboxes). If you work with your Microsoft account manager/TAM to get approval for Azure AD as well, you can move authentication via the BGP Community "Other Office 365 Services".
I would stress though that Office 365 is designed to work over the public internet. Most customers i've worked with in the past migrated 100's of Gb's worth of mail over the public internet with no issue at all, averaging 5-10 Gb data of uploads per hour on 100 Mb WAN links contended with general internet traffic.
Related
I became interested in Azure and while studying and answering questions, i'm really confused about this question.
ExpressRoute "Microsoft Peering" enables customers to: (select all that apply)
A. Connect to their virtual network resources from on premises
B. Connect to internet resources securely
C. Connect to Office 365 Services
D. Connect to Azure Services
I think it is B only not really sure.
I found this online
"Microsoft peering
Microsoft 365 was created to be accessed securely and reliably via the Internet. Because of this, we recommend ExpressRoute for specific scenarios. For information about using ExpressRoute to access Microsoft 365, visit Azure ExpressRoute for Microsoft 365.
Connectivity to Microsoft online services (Microsoft 365 and Azure PaaS services) occurs through Microsoft peering. We enable bi-directional connectivity between your WAN and Microsoft cloud services through the Microsoft peering routing domain. You must connect to Microsoft cloud services only over public IP addresses that are owned by you or your connectivity provider and you must adhere to all the defined rules. For more information, see the ExpressRoute prerequisites page.
it is A, Express Route is used when you want a secured but also a speedy and committed connection your Azure region of choice. This way the connection from your organization's on-prem network is not only secure but also fast as you go from on-prem to your Telco then Hub to your Azure region. ExpressRoute is available for both Azure and Office 365 services.
I have a couple of web applications deployed in Azure and I would like to move them to another subscription. The problem is that these apps are connected to the VPN gateway which cannot be moved. I suppose that if I will ask support stuff to move my applications, applications will be disconnected from the old VPN. Am I right and is there any better way to switch to the new subscription with minimal service interruption?
You have a good question. Actually, VPN gateways can be moved between subscriptions. However, the migration between subscriptions is all or nothing. If you want to migrate subscriptions, everything within that subscription will be migrated to the other.
Our support engineers will migrate everything, including VPN gateways, with minimal interruption. Please open a support ticket and our support engineers will be happy to take care of this migration for you.
Thanks,
Bridget [MSFT]
What is the best practice for ddos protection on Windows Azure virtual machine?
I have multiple domains connected to my vm
and a static ip
Azure provides DDOS protection on all their services, but they do this in a selfish manner. IE: They are protecting their service, not necessarily yours.
I think when trying to enable DDOS protection you have the following options
Use VMs from the Azure Marketplace. There are leading security
solutions for sale, and you can put those in-line with your VMs
Use an upstream service such as Incapsula, cloudflare, or
Silverline
There really is no one single best practice solution, you need to balance cost vs risk to determine the best solution for you or your client.
Azure officially partners with Imperva Incapsula to provide WAF and DDoS Mitigation:
https://azure.microsoft.com/en-us/blog/azure-security-center-adds-new-partners-detections-and-more/
https://www.incapsula.com/ddos-protection-for-microsoft-azure.html
If you want a hint, look at who protects Microsoft's own blog...
http://blogs.microsoft.com/blog/2016/02/25/enterprise-security-for-our-mobile-first-cloud-first-world-2/
Using incapsula is the correct way to go, it will mitigate all of the ddos attack, provide CDN and Cache for your app which will speed it up.
Today we use incapsula to mitigate both attacks and as a CDN + cache and it actually saved us on AWS traffic and speed up the application.
There is a lot happening around making Azure more secure. Most of that is described in the Azure Trust Center. You can request the penetration testing as well if you want.
And, if you want some additional features, there is partners offerings marketplace called Azure Marketplace where you can find a lot of manageable solutions.
AWS Direct Connect allows physical connections and BGP setup to connect AWS cloud with on-premise DC or customer's private cloud. I wonder if there's anything like this in MS Azure cloud. Not VPN based..
Kind-of.
It is announced as a future plan to support, but not yet accessible to customers. I believe this is what you are asking for: http://www.microsoft.com/en-us/news/press/2013/sep13/09-18msattpr.aspx
Hopefully we can see this announcements moving forward in the next year. Offering this solution to regions other than USA will also be interesting development of this solution, but currently nothing can be found on the internet.
As the cloud continues to be embraced by customers and partners around the world we are seeking to help them connect to their off-premise investments. Today, providers such as TW Telecom, AT&T, and Level 3 grant their clients the ability to connect to AWS or Windows Azure with scalable and flexible connectivity. Recently, Level 3 released ExpressRoute; a new service that allows customers to utilize a private connection from an Equinox Data Center to the Windows Azure Cloud. This service is similar in nature to the AWS direct connect service that was released a few years ago, providing a private network route to hosted cloud services that bypasses the public Internet.
ExpressRoute aims to reduce latency, and increase the speed in which clients can access their applications. To achieve this goal, Level 3 provides the client with 1 gigabit or 10 gigabit connection from an Equinox Data Center in San Jose to Windows Azure increasing your network throughput for large workloads. Today, Windows Azure does not offer multiple VPN’s into their cloud. To compensate for this issue, consolidating and connecting to the Azure cloud with a private connection ensures the transfer of your data.
Ref. from http://fastblue.com/cloud-connectivity-aws-direct-connect-and-windows-azure-express-route/
We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.