2. Locations:
• Azure has regions around the world.
Availability Sets:
• Azure provides the redundancy option for VMs by isolating them
in different fault and update domains.
Virtual Networks (VNETs)
• Logically isolated network. You can create subnets, route tables.
Subnets: Fixed address blocked within a VNET (ex. 10.0.1.0/24 )
User Defined Routes (UDRs): Route table for next hop
Network Security Groups (NSGs): network firewall rules used to
secure resources
Azure Resource Manager Templates: Used to orchestrate
resources and deliver services in Azure
3. VNET Connectivity:
• On Prem to VNET
• Two methods.
1. VPN Gateway
2. ExpressRoute™ – secure dedicated connection
• VNET to VNET
F5 available as a drop down option to connect
to your remote BIG -IP
7. • 1 NIC for Management and External
• Change configuration utility port 443 => 8443
• Use a Transparent/forward virtual server per
service port.
• Separation of traffic via iRule, SNI or traffic
policy.
• Networking objects (vNIC 1.0, an internal
VLAN, and an internal self IP address) are
created automatically for you.
• Supports One-Armed and DSR mode.
8. • Supports one-armed, two armed and DSR mode use
cases.
• Still only one public IP address available
• Change BIG-IP configuration utility port 443 => 8443
• You can’t use BIG-IP GUI to create this configuration.
- An Azure template
- PowerShell
- The Azure command-line interface (CLI)
• Supported in version 12.0 HF1 and later
11. Public Cloud - Shared Responsibility Security Model
CP Global
Infrastructure
Data Centers
Zones
Regions
Edge
Locations
Networking Services
Compute Database Storage
Deployment & Management
Client-Side Data
Encryption & Data
Integrity Authentication
Server-Side Encryption
(File System and/or
Data)
Network Traffic
Protection (Encryption,
Integrity, Identity)
Operating System, Network and Firewall
Configuration
Platform, Applications, Identity & Access
Management
Customer Data Customer’s responsibility
• Protecting the
confidentiality, integrity,
and availability of their
data in the cloud
• OS and
application-level security
Cloud Provider responsibility
• Providing a global secure
infrastructure and services
PhysicaltoHypervisorOSandApplication
CloudProviderCustomer
12. Preconfigured WAF with Azure Security Center
Product : F5 Web Application Firewall (WAF) Solution
• Simple deployment experience integrated
with Azure workflow and services
• Out-of-the-box choice of security settings
preconfigured by F5 experts
• Comprehensive application security and
compliance with advanced Layer 7 attack
protections
• Consistent policy management and user
experience across Cloud and Datacenter
apps
• Integration with Azure dashboard and alerts
/ visualization services
F5 WAF Solution Integrated With
Azure Security Center (ASC)
Use Case Example
F5 provides ARM template to configure Preconfigure WAF outside of Azure Security Center to support broader customer needs.
WAF
13. • Strengthens security posture by enabling
device checks, multifactor authentication, up-
leveling authentication and AD & AAD
Integration
• Consolidates & centralizes security when
offering hybrid services across cloud and on-
prem datacenters
• Streamlines access by providing federation &
single sign on across all SAML/OAuth enabled
on-prem, O365, Azure, and SAAS apps
• Reduces configuration complexity
simplified deployment using Azure Solution
Template
• Enables migration with context aware, user &
device based traffic redirection
Office 365 Identity Federation & Single Sign On
Product : F5 BIG-IP Best (BIG-IP Access Policy Manager)
Azure
Private Cloud
Unauthorized
User
Authorized
Users
Use Case Example
BIG-IP
SSO
14. AD
SAML FEDERATIONSAML IDP SAML SP
App A App B
Employee Contractor/Partner
SSL-VPN
On premises
BIG-IP
• Back Ground
• Need secure access (SSL-VPN) to Azure for
employees, contractors and partners.
• Integration with existing identity
infrastructure
• Solution
• Secure access by enabling SAML for all
the apps in Azure.
• Federate ID with existing AD and SAML IDP
• Endpoint security check and SSL VPN
enables secure remote access to Azure
• Increase high availability by deploying F5
into multiple Azure regions
SSL VPN and secure access to Azure
Product : F5 BIG-IP Best (BIG-IP Access Policy Manager)
Use Case Example
Azure
SSL-VPN
15. SQL
Backend
Active
Directory
End Users
Internet
ACTIVE
BIG-IP
STANDBY
BIG-IP
Use Case 1: Cloud Deployment with Single Sign On and Firewall
Pre-authentication Traffic
Backend Data Communication
Load Balancing + App Delivery + SSLLTM
Access ManagementAPM
Web Application FirewallingASM
• Secure, policy driven single sign-on Access Management
• Web application security, firewalling and DDOS protection
• Stateful Layer 4-7 load balancing, SSL offloading and application delivery
Firewalling + DDoS protectionAFM
LTMAFM APM ASM
16. • Consistent settings and policies on prem and off
• Single-Sign-On for both on prem and cloud based apps
• Web-Application Firewall where-ever your app resides
Azure Virtual Net On-Premise Net
S2S VPN
IPsec
Pre-authentication Traffic
Backend Data Communication
ACTIVE
BIG-IP
STANDBY
BIG-IP
SQL
Backend
On Premise DC
Active
Directory
BIG-IP
Platform
Use Case 2: Hybrid Cloud with site to site VPN
Internet
End Users
LTMAFM APM ASM
Load Balancing + App Delivery + SSLLTM
Access ManagementAPM
Web Application FirewallingASM
Firewalling + DDoS protectionAFM
17. WEST US EAST US
Authentication Traffic
GSLB
Use Case 3: Hybrid Cloud with GSLB and SAML
• Delivers Business Continuity
• Users get the best possible QoE
because the service comes from the
closest available source
Internet
End Users
Load Balancing + App Delivery + SSLLTM
Identity Access ManagementAPM
Web Application FirewallingASM
Business Continuity + DNSGTM
23. OFFERING
• Certified Images in marketplace and on
downloads.f5.com
• All BIG-IP Modules (GBB and standalone) in
Classic and ARM
• Performance: 25M, 200M, 1G BYOL and Utility
• Single and Multi NIC deployments
• Available in Azure Government Marketplace
• Available 30 day evaluation and lab licenses
• WAF offering in Azure Security Center