build 2014 azure インフラエンジニア向けアップデート
DESCRIPTION
Build 2014で紹介されたMicrosoft Azureのインフラエンジニア向けアップデートをまとめてみました。 ブログはこちら http://kentablog.cluscore.com/TRANSCRIPT
//build/2014 Azureインフラエンジニア向けアップデート
Japan Windows Azure User Group@kekekekenta
2014 年 4 月 12 日
2
• 本資料は Channel9 で公開されている情報をもとに作成されています。また、英語の箇所がたくさんありますがご了承ください。– http://channel9.msdn.com/Events/Build/2014
はじめに
• IP ACLs
• Static Virtual Network IP addresses
Virtual Network
Public Endpoint ACL(Access Control Lists)
4
VirtualMachines
IP: 101. 121.---.255
IP: 127.255. ---.---
End Point ACL
P
P
• Inbound トラフィックのアクセスコントロールができる。 Outbound トラフィックは全アクセスが許可されている。
Virtual Network
<subnet X>
<subnet Y>
<subnet Z>
仮想ネットワーク( Virtual Networks )
DNS Server
• 全てコントロール可能な論理的に分離されたネットワーク
• サブネット作成可能• プライベート IP アドレスの永続化• Azure 提供の DNS か、自前 DNS の利用が
可能• Inbound の ACL 設定が可能• オンプレミスから仮想ネットワークへの接
続可能
Azure
静的仮想 IP アドレス( Static Virtual Network IP Addresses )
現在の機能• VM 作成時に Static VNet IP addresses を
設定することができる• 既に存在する VM に対しても、 Static VNet
IP addresses をアサイン/変更/削除設定することができる
シナリオ例• Static IP for AD / DNS server
PowerShell を使って設定可能
Sample
New-AzureVMConfig -Name “mydns” `
-ImageName $img -InstanceSize Small |
Set-AzureSubnet -SubNetNames $subnet |
Add-AzureProvisioningConfig -Windows `
-AdminUsername $adm -Password $pwd |
Set-AzureStaticVNetIP -IPAddress "10.0.0.8" |
New-AzureVM -ServiceName $svc -VNetName $vnet
• Point-to-site 接続• Site-to-site 接続• ExpressRoute
Connectivity
Microsoft Azure が提供する接続
Cloud Customer What’s new
Secure point-to-site connectivity
Virtual Network (Point-to-Site)
• Announcing General Availability
Secure site-to-site VPN connectivityVirtual Network (Site-to-Site)
• Announcing General Availability of Dynamic routing VPN Gateways
• New VPN vendors
Private site-to-site connectivity
ExpressRoute
• Preview service• GA in early summer• AT&T, Equinix, Level3
オンプレミス
データセンタ
ファイアウォールの内側に存在するコンピュータ
Point-to-Site VPN
Route-based VPN
Azure
Virtual NetworkVPN
Gateway
<subnet 1>
<subnet 2>
<subnet 3>
DNS Server
VPN Gateway
Remote workers
Site-to-SiteVPN
Point-to-Site VPNs
Virtual Networks & P2S 接続
• ファイアウォールの内側からも接続可能
• VPN ソフトウェアの追加インストールが必要ない
• 簡単に使うことができる。セットアップも簡単
• プロトタイピングや開発、デモに便利
• P2S と S2S の共存
P2SVPNs
Active Directory
SharePointSQL Server
Azure
Existing Datacenter
S2S VPN
On-premises
Your datacenter
Hardware VPN or Windows RRAS
Azure
Virtual NetworkVPN
Gateway
<subnet 1>
<subnet 2>
<subnet 3>
DNS Server
VPN Gateway
Site-to-SiteVPN
Site-to-Site 接続
• オンプレミスのネットワークをクラウドに拡張可能• On-ramp for migrating services to the cloud
• オンプレミスのリソースを Azure で使用
• IKE v1, IKE v2
• AES 128, 256
• SHA1, SHA2
Generic VPN devices must support
• Windows Server 2012 RRAS
• Open Swan
Software based VPN gateways
Azure に VPN 接続するには
Cloud on your WAN• Avoids risks from exposure to Internet• Avoids complexity and added costs• Provides lower latency, higher bandwidth
and greater availability
Public cloud
WAN
Customer DC
Customer site 1
Customer site 2
Public internet
もっと安全に
IPsec VPN over Internet• Greater networking costs and latency since data is hair
pinned through a customer data center• Data travels over the open Internet to connect to cloud• Bandwidth is limited
Public cloud
WAN
Customer DC
Customer site 1
Customer site 2
Public internet
高スループット
セキュリティ
低コスト
パフォーマンスを見積もれる
ExpressRoute とは
ExpressRoute は、 Azure と組織のデータセンタ間のネットワークを専用の回線で接続し、高スループットで通信できる機能を提供します。
ExpressRoute による接続
Windows AzurePublic services
仮想ネットワーク上の Azure Compute
Azure Edge
Connectivity Provider
Infrastructure
Customer’s network
Customer’s dedicated connection
Traffic to public IP addresses in Windows Azure
Traffic to Virtual Networks in Windows Azure
(参考) VPN 接続の場合
AzurePublic services
仮想ネットワーク上の Azure Compute
Azure GatewayVPNCustomer’s
network
VPN connection via the Internet
Traffic to public IP addresses in Windows Azure
Traffic to Virtual Networks in Windows Azure
Public and Private peering
Contoso (10.0.0.0/16)
Exchange
AD/DNS
IIS ServersSQL Farm Proxy/Internet edge
Monitoring
Netbound–ExpressRoute Circuit
Windows Azure
Storage SQL Websites
Direct internet trafficCross PremisesInternet boundAzure service access
Contoso virtual networks/Vms
Azure public services
AD/DNS
Internet
Virtual Network and ExpressRoute
Connect via an encrypted link over public internet
Peer at an ExpressRoute location, an Exchange Provider facility
Connection from a WAN provided by Network Service Provider. Azure becomes another site on the customer’s WAN network.
Scenario 1: IPSec VPN over internet
Scenario 2: Exchange Provider
Scenario 3: Network Service Provider
Windows AzureCustomer DC
Virtual Network - Compute only.
ExpressRoute - Provides customer choice and include access to compute, storage, and other Azure services.
Customer site ExpressRoutepartner location
Windows Azure
Customer site 1
Customer site 2
Customer site 3 Windows Azure
WAN
Publicinternet
Publicinternet
Publicinternet
ExpressRoute パートナー(北米)
Exchange Provider Network Service Provider scenario
Customer site ExpressRoutepartner location
Windows Azure
Customer site 1
Customer site 2
Customer site 3 Windows Azure
WAN
Publicinternet
Publicinternet
ExpressRoute PowerShell CommandletsExpressRoute commandlets Description
Get-AzureDedicatedCircuitServiceProvider
Lists all ExpressRoute service providers including carriers and internet exchange points offering connectivity across all regions in Windows Azure.
Get-AzureDedicatedCircuit Lists all ExpressRoute circuits and details of each circuit.
Get-AzureDedicatedCircuitLink Lists the link state of a particular virtual network and an ExpressRoute circuit.
New-AzureDedicatedCircuit Creates a new ExpressRoute circuit in a Windows Azure subscription.
New-AzureDedicatedCircuitLink Creates a link between an ExpressRoute circuit and a virtual network in the current Windows Azure subscription.
Remove-AzureDedicatedCircuit Removes an ExpressRoute circuit.
Remove-AzureDedicatedCircuitLink Removes the link between a Virtual Network and an ExpressRoute circuit.
BGP Configuration commandlets Description
Get-AzureBGPPeering Returns an object with bgp configuration information of an ExpressRoute circuit.
New-AzureBGPPeering Creates a new BGP peering configuration for an ExpressRoute circuit.
Remove-AzureBGPPeering Removes the routing configuration for an ExpressRoute circuit.
Set-AzureBGPPeering Updates a BGP peering configuration for an ExpressRoute circuit.
パブリックプレビュー• Washington D.C. • Silicon Valley, CA
その他ロケーションは、もう少し待ってね!とのこと
ロケーション :
ExpressRoute ロケーション
Global datacenters
ExpressRoute locationsPublic preview
ExpressRoute 価格(北米の価格のため参考に)
Exchange Provider Network Service Provider
Per month:
$12,000
Per month:
$7,200
Per month:
$1,800
Per month:
$1,200
Per month:
$6001 Gbps500
Mbps
100 Mbps
50 Mbps
10 Mbps
データ転送無制限の月額料金データ転送料込の月額料金
1Gbps Port + 15 TB included egress
Per month:
$600Free Ingress
Overage:$0.035/GB Zone 1 $0.07/GB Zone 2
10Gbps Port + 250 TB included egressPer month:
$10,000
Free Ingress
Overage:$0.035/GB Zone 1 $0.07/GB Zone 2
Summary
Use Traffic Manager to build highly available services Use Virtual Network to create virtual private networks in Azure and extend your premises to Azure Use Point-to-site connectivity to simplify prototyping and dev / test / lab scenarios Use ExpressRoute for Enterprise grade connectivity to Azure
New features
Traffic Manager, traffic manager for websites Static private IPv4 addresses for VMs Migrate VMs from one subnet to another without having to redeploy them Point-to-site and dynamic routing generally available New VPN device vendors validated ExpressRoute in preview
サマリ
Automation
Resource Manager
VMM Agent Chef, Puppet, DSC
DevOps
Azure
Twilio
New Relic
MongoDB
Web based Runbook AuthoringCreate runbooks to automate all aspects of your cloud operations, from resource provisioning to log purging, and everything in between
Highly Available EngineSupport requirements for scale and H/ABuilt on PowerShell Workflow. Strong tenant isolation for runbook jobs
Integration into other systems
Create and import modules and runbooks for existing resources, or to connect into 3rd party services that span service providers
AutomationMove old logs to
cold storage
Add additional database capacity
Notify on call ops of site failure
Upgrade custom
service in HA way
Microsoft Azure のオートメーション
Azure Templates can:• Ensure Idempotency
• Simplify Orchestration
• Simplify Roll-back
• Provide Cross-Resource Configuration and Update Support
Azure Templates are: • Source file, checked-in
• Specifies resources and dependencies (VMs, WebSites, DBs) and connections (config, LB sets)
• Parametized input/output
Instantiation of repeatable config.Configuration Resource Group
Resource Manager
SQL - A Website VirtualMachines
SQL-AWebsite[SQL CONFIG] VM (2x)
DEPENDS ON SQLDEPENDS ON SQL
SQLCONFIG
仮想マシンの構成自動化
27
• VMM Agent
• DSC (in-VM PowerShell)
• Chef
• Puppet
PuppetForge: 用意されているオートメーションソリューション
Virtual & Cloud Infrastructure
Applications
Network & Storage Devices
Operating System Resources
NTP SUDO LDAP
RPM SSH USERS
29
THANK YOU!