Azure network
Networking in Azure can be separated into two parts: managed by Microsoft and managed by us. In this section, we will discuss the part of networking managed by Microsoft. It's important to understand the architecture, reliability, and security setup of this part to provide more context once we move to parts of network security that we need to manage.
As with Azure data centers generally, the Azure network follows industry standards with three distinct models/layers:
- Core
- Distribution
- Access
All three models use distinct hardware to completely separate all the layers. The core layer uses data center routers, the distribution layer uses access routers and L2 aggregation (this layer separates L3 routing from L2 switching), and the access layer uses L2 switches.
Azure network architecture includes two levels of L2 switches:
- First level: Aggregates traffic
- Second level: Loops to incorporate redundancy
This approach allows for more flexibility and better port scaling. Another benefit of this approach is that L2 and L3 are wholly separated, which allows for the use of distinct hardware for each layer in the network. Distinct hardware minimizes the chances of a fault in one layer affecting another one. The use of trunks allows for resource sharing for better connectivity. The network inside an Azure data center is distributed into clusters for better control, scaling, and fault tolerance.
In terms of network topology, Azure data centers contain the following elements:
- Edge network: An edge network represents a separation point between the Microsoft network and other networks (such as the internet or corporate networks). It is responsible for providing internet connectivity and ExpressRoute peering into Azure (covered in Chapter 4, Azure Network Security).
- Wide area network: The wide area network is Microsoft's intelligent backbone. It covers the entire globe and provides connectivity between Azure regions.
- Regional gateways network: A regional gateway is a point of aggregation for Azure regions and applies to all data centers within the region. It provides connectivity between data centers within the Azure region and enables connectivity with other regions.
- Data center network: A data center network enables connectivity between data centers and enables communication between servers within the data center. The data center network is based on a modified version of the Clos network. The Clos network uses the principle of multistage circuit-switching. The network is separated into three stages – ingress, middle, and egress. Each stage contains multiple switches and uses an r-way shuffle between stages. When a call is made, it enters the ingress switch and from there it can be routed to any available middle switch, and from the middle switch to any available egress switch. As the number of devices (switches) in use is huge, it minimizes the chance of hardware failure. All devices are situated at different locations with independent power and cooling, so an environmental failure has a minimal impact as well.
Azure networking is built upon highly redundant infrastructure in each Azure data center. Implemented redundancy is need plus one (N+1) or better, with full failover features within, and between, Azure data centers. Full failover tolerance ensures constant network and service availability. From the outside, Azure data centers are connected by dedicated, high-bandwidth network circuits redundantly that connect properties with over 1,200 Internet Service Providers (ISPs) on a global level. Edge capacity across the network is over 2,000 Gbps, which presents an enormous network potential.
Distributed Denial of Service (DDoS) is becoming a huge issue in terms of service availability. As the number of cloud services increases, DDoS attacks become more targeted and sophisticated. With the help of geographical distribution and quick detection, Microsoft can help you mitigate these DDoS attacks and minimize the impact. Let's take a look at this in more detail.
