Build DMZ in Azure Cloud

Azure routes traffic between Azure, on-premises, and Internet resources. Azure automatically creates a route table for each subnet within an Azure virtual network and adds system default routes to the table. You can override some of Azure’s system routes with custom routes, and add additional custom routes to route tables. Azure routes outbound traffic from a subnet based on the routes in a subnet’s route table.

You can a DMZ in Azure Cloud within your subscription or tenant. The concept of a DMZ or perimeter network is not new; DMZ is a layered network security approach to minimize the attack footprint of an application.

A DMZ architecture is comprised with either two layers or three layers of security and protection concept with additional user-defined routes and firewall rules. Azure network traffic to and from resources in a virtual network using network security groups and network virtual appliances.

Workload Placement in simple DMZ:

1. Untrusted Network (Layer 1- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
2. Trusted Network (Layer 2 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.

 

Simple DMZ Example Source Microsoft

Workloads Placement in advanced DMZ:

1. Extranet (Layer 1 – External Public Facing) A Firewall Appliance
2. Untrusted Network (Layer 2- Frontend NSG) – WAP Server, Non-domain joined computer, Exchange Edge Server
3. Trusted Network (Layer 3 – Backend NSG) – Domain Controller, File Server, Print Server, RDS, Database and ADFS Server.

 

Advanced DMZ Example Source Microsoft

 

 Example Address Spacing

Location	vNET	Address Space	Connectivity  to other region
Azure Australia East	vNET1	10.11.0.0/16 10.12.0.0/16	Azure Australia Southeast ExpressRoute or S2S VPN
Australia East On-premises	On-prem	10.41.0.0/16 10.41.0.0/16	S2S VPN to Azure Australia East
Azure Australia Southeast	vNET2	10.51.0.0/16 10.51.0.0/16	Azure Australia East ExpressRoute or S2S VPN
Australia Southeast On-premises	On-prem	10.100.0.0/16 10.101.0.0/16	S2S VPN to Azure Australia Southeast

Hybrid Network Workloads Placement

Hybrid Network Example Source Microsoft

Best Practices

Follow Azure Networking Best Practices. Follow three basic principal of Azure Networking- Segment, Control and Enforce.

• Segment- Multiple Azure Networks within a single vNET with large IP Address space. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges. Use Trusted IP Address range (x.x.x.x/22), Untrusted IP Address Range (x.x.x.x/22).
• Control- Create multiple NSGs, associate FrontEnd NSG and Backend NSG with untrusted and trusted network respectively to control to and from Azure. NSGs are simple, stateful packet inspection devices that use the 5-tuple (the source IP, source port, destination IP, destination port, and layer 4 protocol) approach to create allow/deny rules for network traffic.
• Enforce – Enforce user-defined rules to allow only desired TCP & UDP traffic to the vNET, Use Virtual Network Appliance and Perimeter Networks at all times for Enterprise Azure deployment. Disable RDP at the VM level and allow RDP at the FrontEnd NSG. Use a jump box in the DMZ to access workloads.

Azure Stack Pricing Model

Azure Stack is sold as an integrated system, with software pre-installed on validated hardware. Azure Stack comes with two operational modes—Connected and Disconnected. Connected Mode use Azure metering services with the Microsoft Azure Cloud. The Disconnected Mode does not use Azure metering services. The Disconnected Mode is based on capacity pricing model. The Connected Mode is a Pay-as-you-use software pricing model.

Licensing Model

Payment Method	Description	License Type
PAYG	No upfront cost	EA or CSP
Capacity Model	Fixed Fees per annum	EA Only

Windows and SQL License

You have to use licenses from any channel (EA, SPLA, Open, and others), as long as you comply with all software licensing and product terms.

Linux Licenses

You have to use RedHat or other Linux licenses on the Azure Stack if you choose to use Linux Operating Systems. You have to pay to the software vendor for use of their software on the Azure Stack.

Connected Mode for Cloud Service Provider (CSP)

Azure Stack offers pay-as-you-use pricing, just like you get with Azure. Run infrastructure as a service (IaaS) and platform as a service (PaaS) on Azure Stack with no upfront fees, and use the same subscriptions, monetary commitments, and billing tools as Azure. The pay-as-you-use package is available through Enterprise Agreements (EA) and the Cloud Solution Provider program (CSP).

Service Type	Description	Hourly Rate	Monthly Rate
Compute	Base VM	$0.011/vCPU	$8 vCPU
	Windows VM	$0.059/vCPU	$43 vCPU
Storage	Storage		$0.008/GB
	Table & Queue		$0.023/GB
	Unmanaged Disk		$0.015/GB
App Services	Web Apps, API, Functions	$0.072/vCPU	$53 vCPU

The Connected Mode is available through both Enterprise Agreement (EA) and Cloud Service Provider (CSP) partner channel. Azure MSDN, Free Trial, and Biz Spark subscription IDs cannot be used in conjunction with Azure Stack.

Your Azure Stack usage will be metered and integrated into one bill with your Azure usage.

Use cases:

The customer already has Azure Subscription. The customer wants to establish hybrid cloud in conjunction with Azure Cloud.

Disconnected Mode for Azure Stack On-premises

the App Service package, which includes App Service, base virtual machines, and Azure Storage ($400/core/year), and the IaaS package, which includes base virtual machines and Azure Storage ($144/ core/year.) With the capacity model, you use your existing on-premises licenses to deploy Windows Server and SQL Server virtual machines.

The capacity model is available via EA only. It is purchased as an Azure Plan SKU via normal volume licensing channels.

Use Cases

The customer wants to build their own private cloud platform and offer services to their departments and subsidiaries. The purpose of this exercise is to segregate billing of each department but maintain single ICT organisation.

Azure Stack Support

Azure Stack support is a consistent, integrated, hybrid support experience that covers the full system lifecycle. If you already have Premier, Azure, or Partner support with Microsoft, your Azure Stack software support is included. You need only make one call to the vendor of your choice (Microsoft or hardware partner) for any Azure Stack issue.

For up-to-date pricing visit Microsoft website.

Amazon EC2 and Azure Virtual Machine (Instance) Comparison

Both Amazon EC2 and Azure VM provide a wide selection of VM types optimised to fit different use cases. An instance or VM is combinations of virtual CPU, virtual memory, temporary storage, and networking capacity and give a customer the flexibility to choose the appropriate mix of resources for workloads. Both AWS EC2 and Azure offers instances at scale for the requirements of any target workload. Both EC2 and Azure provide the option to store VM in persistent storage called EBS in Amazon terminology or Blob Storage in Azure terminology.

Available Windows/Linux VM both Cloud Services Providers:

Type	Description	Azure VM Windows & Linux	AWS EC2 Windows & Linux
General purpose	Balanced CPU-to-memory ratio.	B, Dsv3, Dv3, DSv2, Dv2, Av2	T2, M4, M5
Compute-optimised	High CPU-to-memory ratio.	Fsv2, Fs, F	C4, C5
Memory-optimised	High memory-to-CPU ratio. Great for database servers	Esv3, Ev3, M, GS, G, DSv2, Dv2	X1e, X1, R5, R4, Z1d
Storage optimised	High disk throughput and IO.	Ls	H1, i3, D2
GPU	Specialized for heavy graphic rendering and video editing	NV, NC, NCv2, NCv3, ND	P3, P2, G3, F1
High performance compute	fastest and most powerful CPU	H	C4, C5

Both AWS and Azure are utility pricing model analogous to your gas, water or power bills. Both Amazon and Azure provide standard instance as PAYG model, and also some instances are available in the reserved pricing model. In a reserved pricing model, you pay upfront at a cheaper rate for instance but commit for certain months or years. In a reserved instance, you pay additional for -storage consumption and network utilisation if it’s cross-geo connectivity. Both AWS and Azure have vast marketplace from where you can pick up and deploy any instance of your requirements at Scale.

Here is where Microsoft differentiate from AWS, you can save up to 72% over pay-as-you-go pricing with an upfront one- or three-year commitment in Azure Cloud. You can also exchange or cancel the RI at any time. Microsoft also offers Hybrid benefits, i.e. 40% off when you bring in Microsoft Windows/Linux workloads from On-prem to Azure. You can use your on-premises Windows Server or SQL Server licences with Software Assurance to make big savings when migrating a few workloads or entire data centres to the cloud.

You can get discounted rates on Azure for your ongoing development and testing, including no Microsoft software charges on Azure Virtual Machines and special dev/test pricing on other services.

Microsoft also offers US$5000 credit for the validated Not-for-Profit organisation for the use of Azure Cloud whilst signing

Relevant References:

Azure Pricing Calculator

Azure TCO Calculator

Offset IT Cost with Azure Cloud

Microsoft Azure credits now available to eligible not-for-profit organisations

Azure 54 regions in 140 countries