Nirag Tibdewal, Roberto Guzman Ortiz, Seth Reisinger, Author at Inside Track Blog http://approjects.co.za/?big=insidetrack/blog/author/ntibdewa/ How Microsoft does IT Wed, 29 Nov 2023 00:58:03 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 137088546 Building resilient and secure virtual labs with Azure Firewall, Azure Container Apps, and Service Bus http://approjects.co.za/?big=insidetrack/blog/building-resilient-and-secure-virtual-labs-with-azure-firewall-azure-container-apps-and-service-bus/ Tue, 24 Oct 2023 19:36:35 +0000 http://approjects.co.za/?big=insidetrack/blog/?p=12422 Editor’s note: This is the third in an ongoing series on moving our network to the cloud internally at Microsoft.  At Microsoft, our support, escalation, and customer engineers help Microsoft with solution troubleshooting, implementation assistance, integration walkthroughs, and many other complex support needs. Our Microsoft Digital (MSD) team created a virtual lab tool named MyWorkspace […]

The post Building resilient and secure virtual labs with Azure Firewall, Azure Container Apps, and Service Bus appeared first on Inside Track Blog.

]]>
Microsoft Digital storiesEditor’s note: This is the third in an ongoing series on moving our network to the cloud internally at Microsoft. 

At Microsoft, our support, escalation, and customer engineers help Microsoft with solution troubleshooting, implementation assistance, integration walkthroughs, and many other complex support needs.

Our Microsoft Digital (MSD) team created a virtual lab tool named MyWorkspace to help our engineers accurately replicate customer environments using cloud-based resources in Microsoft Azure so they can provide contextual troubleshooting and support. Recently, we developed the MyWorkspace network management service to reduce the complexity of deploying and managing network environments that host MyWorkspace virtual labs.

Using the capabilities of Azure Firewall, Azure Container Apps, Azure Service Bus, and the flexibility of infrastructure as code (IaC), the network management service enables MyWorkspace to provide a catalog of instantly deployable network topologies and management strategies for virtual labs. The service optimizes the deployment, performance, security, and usability of virtual lab network environments in Azure, creating a seamless experience for our engineers and contributing to an excellent customer support experience.

Azure-based virtual lab solution components: Azure Container Instances, Service Bus, Firewall, Virtual Networks, and Active Directory.
Here’s an architecture diagram that shows the connectivity needed to deploy and access virtual lab network environments.

Using infrastructure as code for automation and consistency

Maintaining a catalog of network topologies is crucial to MyWorkspace’s functionality because our support engineers’ needs vary based on their customer support scenarios. Using the network management service, MyWorkspace provides pre-defined templates created by the MyWorkspace team and validated by MSD security teams. MyWorkspace uses these templates to dynamically deploy network infrastructure for virtual lab environments.

By using Azure Resource Manager and Bicep templates, all network topologies are deployed and configured as IaC. The templates for these network topologies can be developed, tested, and updated independently, ensuring their functionality, usability, and reusability before being uploaded to the catalog.

Creating dynamic networks with Azure Firewall and hub and spoke topology

When deploying network templates, hub and spoke architecture is the foundational topology for the MyWorkspace network management service. This design facilitates network isolation by centralizing control, segmenting traffic, and enhancing security through Azure Firewall—located within the hub virtual network. A hub and spoke model provides the following benefits in our environment:

  • Simplified management. A central hub simplifies management tasks, including traffic flow control, network policy management, traffic monitoring, and security measures enforcement.
  • Integrated scalability. The hub and spoke model inherently supports scalability. With virtual network peering, up to 500 distinct virtual networks can be connected to the virtual network hub.
  • Optimized resource usage. We can ensure efficient resource use by centralizing services and resources in the hub, such as removing peerings for unused virtual networks.
  • Improved troubleshooting. Centralized traffic flow makes identifying and troubleshooting network issues easier, enhancing network reliability.
  • Data security compliance. The hub and spoke model inherently enforces strict traffic segmentation, aiding in compliance with data security requirements and regulatory standards.

Azure Firewall serves as the central element in our hub and spoke network. By using Azure Firewall for traffic flow control and segment isolation, we gain several benefits, including:

  • High throughput. With a throughput capacity of 100 gigabits, the Premium tier of Azure Firewall ensures that the network can handle even the most demanding workloads without compromising performance.
  • Advanced security. The built-in transport layer security (TLS) inspection and intrusion detection capabilities provide an additional layer of security, ensuring that malicious traffic is detected and thwarted before it can harm the network.
  • Direct API calls. Using the Azure Firewall API in Azure CLI, Azure PowerShell, .NET, and additional languages enables us to deeply integrate Azure Firewall functionality into our automation framework.

Our team has worked closely with the Azure Firewall product team as Customer Zero—using Microsoft products internally within MSD. As a result, we’ve been able to provide feedback and use cases that the product team could use to improve features and functionality for Microsoft customers.

The partnership between MyWorkspace and the Azure Firewall Product team has been truly transformative. MyWorkspace’s role as an early adopter, serving as Customer Zero, has been instrumental in refining the product for external users.

—Varun Anantharaman, senior product manager, Azure Firewall product team

We’ve also pioneered new use cases for Azure Firewall, including NGINX server integration with Azure Firewall in the MyWorkspace network management service. This integration has brought flexibility to the network architecture, enabling the team to seamlessly support more inbound network flows.

With Azure Firewall’s seamless integration with Azure services, built-in high availability, automatic scaling, and robust logging and monitoring, it stands out as the primary choice for securing infrastructure.

“The partnership between MyWorkspace and the Azure Firewall Product team has been truly transformative,” says Varun Anantharaman, Senior Product Manager for the Azure Firewall product team. “MyWorkspace’s role as an early adopter, serving as Customer Zero, has been instrumental in refining the product for external users.”

Ortiz, Tibdewal, and Reisinger smile in a corporate photo.
Roberto Guzman Ortiz (left), Nirag Tibdewal (center), and Seth Reisinger (right) are part of the MyWorkspace team in Microsoft Digital Employee Experience. Ortiz, Tibdewal, and Reisinger are software engineers.

Reducing cluster complexity with Azure Container Apps

To build the MyWorkspace network management service, our team required an Azure hosting service that would reduce the need for infrastructure configuration and allow developers to focus on code delivery. After analyzing the various options, we chose Azure Container Apps. Built on Kubernetes, Azure Container Apps abstracts the underlying cluster infrastructure, allowing configuration and management using simplified IaC and continuous integration and delivery (CI/CD) deployment methods for rapid resource deployment.

We use the auto-scaling feature of Azure Container Apps to create simplified scaling rules based on events like HTTP requests, CPU usage, or queue message counts. With IaC, these scaling rules can be configured to accommodate microservice needs.

Azure Container App costs are tracked at the individual resource level, making it easier to understand and manage overall expenses. Since each Azure Container App is deployed as a separate microservice unit, scaling rules can be configured to place containers in an idle state during low resource use to reduce cost.

Enabling just-in-time access control with Azure Service Bus

Security and governance are crucial for creating more secure and compliant environments for our support engineers. We use just-in-time (JIT) access to grant temporary access to virtual lab environments for authorized users for a limited time. JIT access improves security and avoids persistent access to deployed network infrastructure. JIT sessions have a minimum duration of 1 hour and a maximum of 10 hours.

We’re using Azure Service Bus scheduled messages to track the precise expiration of these sessions. With scheduled messages, we calculate the desired expiry time for each virtual lab session and schedule a message using the expiry time using the Message API.

Azure Service Bus automatically activates the scheduled message when the scheduled expiration time arrives. This message triggers the session deactivation microservice listening to the Service Bus for messages.

Using Azure Service Bus decreases complexity by removing the need for custom messaging code or session tracking logic in each microservice component. It also allows for precise deactivation of JIT sessions at the exact moment they expire.

Service Message Bus supports instant scalability to accommodate increased workload without decreased performance. It also efficiently handles messaging by sending and processing messages only when they’re due, without requiring dedicated resources or continual open polling.

The network management service uses Azure technology to provide a compliant and efficient software as a service (SaaS) solution for deploying network topology in MyWorkspace. This helps us deliver a virtual lab environment to more than 18,000 Microsoft employees that’s secure by design, optimizes user productivity, eliminates hardware costs, and provides good stewardship over Azure resources.

Key Takeaways

  • Adopt infrastructure as code: Use Azure Resource Manager and Bicep templates to deploy and maintain your Azure resources efficiently and consistently.
  • Take advantage of hub and spoke architecture. Implement a hub and spoke network model in Azure to benefit from simplified management, integrated scalability, and enhanced security.
  • Maximize Azure Firewall capabilities. Explore the advanced features of Azure Firewall—like the Premium tier’s high throughput—for efficient traffic flow control and enhanced network security.
  • Implement JIT access with Azure Service Bus. Improve security by enabling just-in-time access controls using Azure Service Bus scheduled messages for precise session tracking.
  • Simplify microservice infrastructure with Azure Container Apps. Use Azure Container Apps to abstract Kubernetes cluster infrastructure and employ auto-scaling features for optimal resource utilization.

Try it out

Try deploying your resources with PowerShell and Bicep.

Related links

We'd like to hear from you!

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Building resilient and secure virtual labs with Azure Firewall, Azure Container Apps, and Service Bus appeared first on Inside Track Blog.

]]>
12422