We’ve recently helped SAP, one of our key business partners, replace an outdated VPN connectivity solution with a highly secure, cost-efficient connection into Azure for integration with ADP payroll using Azure VWAN and Azure VPN.

As cloud networking has matured, so have the requirements for security and traffic control. SAP’s pre-existing solution for connecting their VPN clients lacked support for critical IKEv2 security and traffic control mechanisms such as AES256 and SHA256 encryption and border gateway protocol (BGP). To support these new requirements, the existing hardware used in SAP’s VPN solution needed to be replaced to be compliant with IKEv2 standards.

Our cloud networking engineers at Microsoft Digital (MSD), the company’s IT organization, proposed a different solution: a cloud-first VPN solution using Azure VWAN and Azure VPN.

The cloud-first solution uses Azure VPN policies and tunneling to bypass the requirement for routing hardware in SAP’s environment. It also provides full support for IKEv2 and removes dependency on outdated VPN hardware and controls.

This is the first Azure-based solution using IKEv2 policy-based VPN connectivity for SAP and ADP support. This cutting-edge solution introduces a highly secure and cost-efficient way for business partners to connect with Azure while ensuring strict adherence to regulatory compliance.

The introduction of IKEv2 VPN connectivity allows partners’ systems to securely communicate with Microsoft’s SAP environment in Azure, fostering a seamless integration of services. It sets the stage for unprecedented connectivity, creating a robust ecosystem for business partners to collaborate and exchange data securely.

Azure VWAN provides native IKEv2 VPN connectivity support. By taking advantage of Azure’s powerful networking capabilities, the solution is instantly scalable and highly available. The Azure-native approach streamlines the entire connectivity process by simplifying set up, management, and monitoring.

With IKEv2 VPN and Azure VWAN, all communications between partners’ or providers’ systems and Microsoft’s SAP environment are encrypted and authenticated, safeguarding sensitive information from unauthorized access. As a result, we can provide our partners with peace of mind and uphold the highest standards of data protection.

By eliminating the need for complex hardware and streamlining the set-up process, we enable our internal businesses and partners to achieve significant cost savings. This cost-effectiveness empowers them to invest resources strategically and fuel their growth.

Regulatory compliance is non-negotiable in today’s business landscape. Our VPN connectivity and native network solutions are designed with strict adherence to regulatory requirements in mind. By meeting industry standards and regulatory mandates, we ensure that our business partners can confidently operate within the bounds of compliance, mitigating potential risks and challenges.

The first IKEv2 policy-based VPN connectivity solution for SAP and ADP support through Azure native network solutions represents an entirely new way to approach SAP and ADP connectivity for Microsoft partners. With improved security, better cost efficiency, and support for regulatory compliance adherence, we’re reshaping the standards for business partner connectivity in the cloud. We’re continuing to innovate and explore new approaches to secure and efficient VPN connectivity to support SAP systems.

To navigate the integration of your network with Microsoft Azure networking solutions, consider the following:

• Explore Azure VWAN and VPN. Evaluate your network for potential improvements by considering Azure Virtual WAN and VPN for enhanced security and efficiency.
• Assess security and compliance. Review your network’s security protocols and compliance standards against Azure’s IKEv2 encryption and regulatory adherence.
• Initiate a pilot project. Test the impact of Azure VWAN and VPN by launching a small-scale pilot within your network, focusing on performance and cost benefits.

Here’s how you can create a peer-to-site VPN connection using Azure Virtual WAN.

• Explore moving Microsoft’s global network to the cloud with Azure.
• Read our ongoing series on moving our network to the cloud.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Revolutionizing SAP and ADP connectivity with Microsoft Azure VWAN and VPN appeared first on Inside Track Blog.

We’re building a more agile, resilient, and stable virtual wide-area network (VWAN) to create a better experience for our employees to connect and collaborate globally. By implementing a continuous integration/continuous deployment (CI/CD) approach to building our VWAN-based network infrastructure, we can automate the deployment and configuration processes to ensure rapid and reliable delivery of network changes. Here’s how we’re making that happen internally at Microsoft.

Infrastructure as code (IaC)

Infrastructure as code (IaC) is the fundamental principle underlying our entire VWAN infrastructure. Using IaC, we can develop and implement a descriptive model that defines and deploys VWAN components and determines how the components work together. IaC allows us to create and manage a massive network infrastructure with reusable, flexible, and rapid code deployments.

We created deployment templates and resource modules using the Bicep language in our implementation. These templates and modules describe the desired state of our VWAN infrastructure in a declarative manner. Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Microsoft Azure resources.

We maintain a primary Bicep template that calls separate modules—also maintained in Bicep templates—to create the desired resources for the deployment in alignment with Microsoft best practices. We use this modular approach to apply different deployment patterns to accommodate changes or new requirements.

With IaC, changes and redeployments are as quick as modifying templates and calling the associated modules. Additionally, parameters for each unique deployment are maintained in separate files from the templates so that different iterations of the same deployment pattern can be deployed without changing the source Bicep code.

Version control

We use Microsoft Azure DevOps, a source control system using Git, to track and manage our IaC templates, modules, and associated parameter files. With Azure DevOps, we can maintain a history of changes, collaborate within teams, and easily roll back to previous versions if necessary.

We’re also using pull requests to help track change ownership. Azure DevOps tracks changes and associates them with the engineer who made the change. Azure DevOps is a considerable help with several other version control tasks, such as requiring peer reviews and approvals before code is committed to the main branch. Our code artifacts are published to (and consumed from) a Microsoft Azure Container Registry that allows role-based access control of modules. This enables version control throughout the module lifecycle, and it’s easy to share Azure Container Registry artifacts across multiple teams for collaboration.

Automated testing

Responsible deployment is essential with IaC when deploying a set of templates could radically alter critical network infrastructure. We’ve implemented safeguards and tests to validate the correctness and functionality of our code before deployment. These tests include executing the Bicep linter as part of the Azure DevOps deployment pipeline to ensure that all Bicep best practices are being followed and to find potential issues that could cause a deployment to fail.

We’re also running a test deployment to preview the proposed resource changes before the final deployment. As the process matures, we plan to integrate more testing, including network connectivity tests, security checks, performance benchmarks, and enterprise IP address management (IPAM) integration.

Configuration management

Azure DevOps and Bicep allow us to automate the configuration and provisioning of network objects and services within our VWAN infrastructure. These tools make it easy to define and enforce desired configurations and deployment patterns to ensure consistency across different network environments. Using separate parameter files, we can rapidly deploy new environments in minutes rather than hours without changing the deployment templates or signing in to the Microsoft Azure Portal.

Continuous deployment

The continuous integration (CI) pipeline automates the deployment process for our VWAN infrastructure when the infrastructure code passes all validation and tests. The CI pipeline triggers the deployment process automatically, which might involve deploying virtual machines, building and configuring cloud network objects, setting up VPN connections, or establishing network policies.

Monitoring and observability

We’ve implemented robust monitoring and observability practices for how we deploy and manage our VWAN deployment. Monitoring and observability are helping us to ensure that our CI builds are successful, detect issues promptly, and maintain the health of our development process. Here’s how we’re building monitoring and observability in our Azure DevOps CI pipeline:

• We’re creating built-in dashboards and reports that visualize pipeline status and metrics such as build success rates, durations, and failure details.
• We’re generating and storing logs and artifacts during builds.
• We’ve enabled real-time notifications to help us monitor build status for failures and critical events.
• We’re building-in pipeline monitoring review processes to identify areas for improvement including optimizing build times, reducing failures, and enhancing the stability of our pipeline.

We’re continuing to iterate and optimize our monitoring practices. We’ve created a feedback loop to review the results of our monitoring. This feedback provides the information we need to adjust build scripts, optimize dependencies, automate certain tasks, and further enhance our pipeline.

By implementing comprehensive monitoring and observability practices in our Azure DevOps CI pipeline, we can maintain a healthy development process, catch issues early, and continuously improve the quality of our code and builds.

Rollback and rollforward

We’ve built the ability to rollback or rollforward changes in case of any issues or unexpected outcomes. This is achieved through infrastructure snapshots, version-controlled configuration files, or using features provided by our IaC tool.

Improving through iteration

We’re continuously improving our VWAN infrastructure using information from monitoring data and user experience feedback. We’re also continually assessing new requirements, newly added Azure features, and operational insights. We iterate on our infrastructure code and configuration to enhance security, performance, and reliability.

By following these steps and using CI/CD practices, we can build, test, and deploy our VWAN network infrastructure in a controlled and automated manner, creating a better employee experience by ensuring faster delivery, increased stability, and more effortless scalability.

Here are some tips on how you can start tackling some of the same challenges at your company:

• You can use Infrastructure as code (IaC) to create and manage a massive network infrastructure with reusable, flexible, and rapid code deployments.
• Using IaC, you can make changes and redeployments quickly by modifying templates and calling the associated modules.
• Don’t overlook version control. Tracking and managing IaC templates, modules, and associated parameter files is essential.
• Perform automated testing. It’s necessary to validate the correctness and functionality of the code before deployment.
• Use configuration management tools to simplify defining and enforcing desired configurations and deployment patterns. This ensures consistency across different network environments.
• Implement continuous deployment to automate the deployment process for network infrastructure after the code passes all validation and tests.
• Use monitoring and observability best practices to help identify issues, track performance, troubleshoot problems, and ensure the health and availability of the network infrastructure.
• Building rollback and roll-forward capabilities enables you to quickly respond to issues or unexpected outcomes.

Try using a Bicep template to manage your Microsoft Azure resources.

• Discover boosting our connectivity with our own next-generation optical network.
• Unpack running on VPN: How Microsoft is keeping its remote workforce connected.
• Explore implementing Microsoft Azure cost optimization internally at Microsoft.
• Check out building a secure and efficient self-service application using Azure ACI, Azure Compute Gallery, and the Microsoft Azure SDK.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post How we’re deploying our VWAN infrastructure using infrastructure as code and CI/CD appeared first on Inside Track Blog.