Moving our network to the cloud with Microsoft Azure

Our ongoing move to cloud networking here at Microsoft is at the core of our larger connectivity strategy.

Very practically, this shift is playing a pivotal role in how we are and will continue to support our more than 221,000 employees across 180 countries and regions, many of whom are working remotely. Our need to enable our people to successfully work and connect from where they are remains paramount.

Adopting cloud networking isn’t simply moving network resources from the data center to the cloud—we’re transforming the way we think about networking altogether. It’s about creating a new way to approach our connectivity and the business it supports.

– Raghavendran Venkatraman, principal cloud network engineering manager, Microsoft Digital

And how are we doing all of this?

We’re not going far—we’re using our own suite of Microsoft Azure network products.

“Adopting cloud networking isn’t simply moving network resources from the data center to the cloud—we’re transforming the way we think about networking altogether,” says Raghavendran Venkatraman, a principal cloud network engineering manager in Microsoft Digital, the company’s IT organization. “It’s about creating a new way to approach our connectivity and the business it supports.”

Venkatraman’s team has been using Microsoft Azure to push cloud networking to the forefront of the company’s business strategy, where it’s being used as a tool to drive business agility and innovation, not just connect points on a network.

And cloud networking is evolving rapidly.

“Everything is dynamic,” says Tom McCleery, a principal group cloud networking engineering manager in Microsoft Digital. “Implementing cloud networking doesn’t involve waiting for new hardware to get deployed. Almost all aspects of the network are software controlled, and we manage our cloud network environment more like a software development project than a hardware management project.”

“This isn’t about improving networking,” McCleery says. “It’s about fundamentally redefining it and then blowing the top off what was possible with traditional networking. It’s a completely different game. We can create a more complex and capable network environment than you could ever realistically put together with hardware alone, and we can do it in minutes for a network environment that would have taken months or even years to deploy in the past.”

– Tom McCleery, a principal group cloud networking engineering manager, Microsoft Digital

Software-defined networking (SDN) and infrastructure as code (IaC) have been instrumental in redefining how we approach networking. Infrastructure as code is the fundamental principle underlying our entire cloud networking infrastructure. Using IaC, we can develop and implement a descriptive model that defines and deploys network components and determines how the components work together. IaC allows us to create and manage a massive network infrastructure with reusable, flexible, and rapid code deployments.

“This isn’t about improving networking,” McCleery says. “It’s about fundamentally redefining it and then blowing the top off what was possible with traditional networking. It’s a completely different game. We can create a more complex and capable network environment than you could ever realistically put together with hardware alone, and we can do it in minutes for a network environment that would have taken months or even years to deploy in the past.”

We’re approaching network development and deployment with a new perspective. Agility is the key.

Our network engineers have embraced the ability to almost instantly create network environments using IaC methods. Test environments that accurately mirror their production counterparts can be created in moments and decommissioned just as quickly, saving time, money, and effort for everyone involved.

Enabling innovation with modern cloud networking practices

It’s not just about quick deployment; it’s about agility across all aspects of network management. The software-defined networking model allows for rapid provisioning of network resources, automated management, accurate, real-time monitoring, and advanced security features that adapt to the ever-changing threat landscape.

We use Microsoft Azure DevOps, a source control system using Git, to track and manage our IaC templates, modules, and associated parameter files. With Azure DevOps, we can maintain a history of changes, collaborate within teams, and easily roll back to previous versions if necessary.

Using SDN in Azure, we are achieving unprecedented microservice-like agility at a cloud scale. This approach allows us to experiment and refine our network infrastructure configurations as code, enhancing our ability to innovate swiftly and efficiently. By integrating CI/CD practices, we have transformed our network into a truly elastic and dynamic system, capable of adapting seamlessly to our evolving needs.

– Ragini Singh, a principal group engineering manager, Microsoft Digital

We’ve implemented automated testing to create safeguards and tests to validate the correctness and functionality of our cloud network code before deployment.

We’re using configuration management to automate the configuration and provisioning of cloud network objects and services within our cloud network infrastructure. These tools make defining and enforcing desired configurations and deployment patterns easy to ensure consistency across different network environments.

“Using SDN in Azure, we are achieving unprecedented microservice-like agility at a cloud scale,” says Ragini Singh, a principal group engineering manager, Microsoft Digital. “This approach allows us to experiment and refine our network infrastructure configurations as code, enhancing our ability to innovate swiftly and efficiently. By integrating CI/CD practices, we have transformed our network into a truly elastic and dynamic system, capable of adapting seamlessly to our evolving needs.”

Singh, Venkatraman, and McCleery appear in a composite image. — Ragini Singh, Raghavendran Venkatraman, and Tom McCleery are part of the team at Microsoft Digital transforming our network with Microsoft Azure.

Continuous integration (CI) pipelines automate the deployment process for our IaC-based cloud network infrastructure. When the infrastructure code passes all validation and tests. The CI pipeline triggers the deployment process automatically.

We’ve implemented robust monitoring and observability practices for deploying and managing our deployments. Monitoring and observability are helping us to ensure that our CI builds are successful, detect issues promptly, and maintain the health of our development process.

By following these steps and using continuous integration and development (CI/CD) practices, we can build, test, and deploy our cloud network infrastructure in a controlled and automated manner, creating a better employee experience by ensuring faster delivery, increased stability, and more effortless scalability.

Fast-tracking cloud networking development with Microsoft Azure

Our network engineering teams use Microsoft Azure to enable an agile deployment and management environment with instant global reach. The Azure network backbone provides instant reach to more than 60 regions worldwide with more than 165,000 miles of fiber optic and undersea cable systems.

Azure Virtual WAN has been instrumental in our recent global cloud networking transformation. We’re using Azure Virtual WAN to provide high-performance networking across our global presence, enabling reliable and security-focused connectivity for all Microsoft employees, wherever they are.

– Raghavendran Venkatraman, principal cloud network engineering manager, Microsoft Digital

We’re using this vast global network to create instant benefits for our employees and business through innovative uses of Microsoft Azure cloud networking components.

“Azure Virtual WAN has been instrumental in our recent global cloud networking transformation,” says Venkatraman, highlighting one of the Azure products currently pushing the boundaries of our cloud networking capabilities. “We’re using Azure Virtual WAN to provide high-performance networking across our global presence, enabling reliable and security-focused connectivity for all Microsoft employees, wherever they are.”

Microsoft Azure Virtual WAN simplifies large-scale branch connectivity and provides optimized and automated connectivity between on-premises workloads across multiple regions and Azure resources. It Integrates various connectivity options, including Azure VPN and Azure ExpressRoute. Azure VWAN enables us to facilitate centralized management and global and branch connectivity monitoring, enhancing the overall network management experience.

Azure Virtual WAN is one of several Azure cloud networking components that are enabling our transformation.

Microsoft Azure Firewall is a fully stateful firewall, providing network-level protection for our applications. We use Azure Firewall to inspect and filter traffic between different Azure Virtual Networks and on-premises networks. It provides application-level filtering capabilities to allow or deny traffic based on rules.

Microsoft Azure VPN enables secure communication between remote users, on-premises networks, and Azure resources over the public internet. Our remote users or branch offices can use Azure VPN to connect to Azure and on-premises resources securely using VPN tunnels. Azure VPN Integrates with Azure Firewall to inspect and filter VPN traffic for security purposes.

Microsoft Azure ExpressRoute provides a dedicated, private connection to Azure from our on-premises data centers, bypassing the public internet. ExpressRoute offers higher reliability, lower latency, and increased security compared to traditional internet-based connections. Integration with Azure Firewall ensures that traffic coming over ExpressRoute is inspected and filtered for security and compliance.

Microsoft Azure NAT Gateway enables outbound connectivity for resources traversing a virtual WAN environment or a virtual network, allowing access to the internet or other external services. Azure NAT Gateway is very useful for scenarios where internal resources need to initiate outbound connections. We use integration with Azure Firewall to control and monitor outbound traffic from Azure NAT Gateways to on-premises and Azure-based networks.

Enabling agility across the cloud networking environment

Together, these Azure products help create an agile, robust, scalable, and secure network architecture that allows us to fulfill several common scenarios that occur across our cloud network:

Secure internet access. We deploy Azure Firewall to inspect and filter outbound internet traffic from on-premises networks and Azure resources while NAT Gateway facilitates the actual outbound connectivity.
Hybrid connectivity. We use Azure VPN and Azure ExpressRoute to create a hybrid network architecture, allowing secure communication between on-premises and Azure resources.
Centralized management. We use Azure Virtual WAN for centralized management and connectivity optimization. Azure Virtual WAN enables us to connect multiple regions, on-premises resources, Azure resources, and branch offices seamlessly.
Localized network edges to improve regional performance. We’re increasing our use of the Azure global network as our primary global backbone. Using the Azure global network, we’ve enhanced regional network performance for many Microsoft employees and office locations by moving the network edge closer to our globally distributed employees.

Recently improved connectivity to our Microsoft Johannesburg location provides a compelling case study of how we’re using Azure to improve our networking posture and performance radically.

The solution relocates the internet edge for Johannesburg to the South Africa North region datacenter in South Africa, using Azure Firewall, Azure ExpressRoute, Azure Connection Monitor, and Azure VWAN. We’ve also evolved our DNS resolution strategy to a hybrid solution that hosts DNS services in Azure, which increases our scalability and resiliency on DNS resolution services for Johannesburg users. We’ve deployed the entire solution adhering to our infrastructure as code strategy, creating a flexible network infrastructure that can adapt and scale to evolving demands on the VWAN.

This transformation has been built by the hard work and ingenuity of our network engineers, who have adopted a new way of thinking about how our network functions.

– Tom McCleery, a principal group cloud networking engineering manager, Microsoft Digital

By relocating the network edge to the South Africa region in Azure instead of our data center edge in London and Dublin, connection latency from Johannesburg to other public endpoints in South Africa has dropped from 170 milliseconds to 1.3 milliseconds.

McCleery notes that the changes have been cultural as much as they’ve been technical.

“We’ve been operating our network the same way for more than 20 years,” he says. “This transformation has been built by the hard work and ingenuity of our network engineers, who have adopted a new way of thinking about how our network functions. It’s been a huge shift for them, and much of our innovation has come from a unique perspective or simply questioning how things have always been done. It’s the perspective that we will learn something every time we sit down and talk about this stuff together. With each deployment and iteration, we learn so much and come out of it even better equipped for the next project or problem.”

Succeeding and innovating as Customer Zero

The transformation of our cloud networking environment is a collaborative effort. Being Customer Zero at Microsoft means we’re using our own products and services to optimize our network performance, security, and scalability. By doing so, we pave the way for other customers to benefit from the same solutions and best practices.

One of the key advantages of being Customer Zero for the company is having a close partnership with the Azure engineering teams, who have provided feedback, support, and guidance throughout our transformation. We’ve been able to test new features and capabilities in real-world scenarios, identify and resolve issues quickly, and provide valuable insights for future enhancements.

For example, we were the first adopters of Azure Virtual WAN. Our deployment experiences helped shape the growth of the product and helped the Azure Virtual WAN product team understand how they could improve the user experience, the monitoring tools, and the automation capabilities.

Another benefit of being Customer Zero is accessing the latest innovations and technologies that Azure cloud networking offers. The Azure global network and products that support it give Microsoft Digital—just like any other Microsoft customer—access to an enterprise-scale platform on which we can optimize our network traffic, routing, security, and resilience.

Being Customer Zero also means being a leader and an industry advocate for Azure cloud networking. We can share the learnings and best practices gained from our network transformation journey with other Microsoft customers considering or undergoing similar changes. We’re advocates and innovators, demonstrating how Azure cloud networking can help customers achieve their business goals, such as enabling hybrid and multi-cloud scenarios, supporting remote work and collaboration, and accelerating digital transformation.

Looking forward

One of our key focus areas is the continued adoption of artificial intelligence and machine learning within our cloud network infrastructure. These technologies will enable Microsoft Digital to predict and prevent potential issues and optimize network performance proactively.

The evolution of the Internet of Things (IoT) and edge computing will also influence our cloud networking strategy. Azure’s IoT and edge services will allow for the deployment of network resources closer to the data source, reducing latency and enhancing the user experience.

The possibilities with Azure are endless. We’re just scratching the surface of what we can achieve. We aim to continue pushing the boundaries of cloud networking, making it more intelligent, automated, and even more aligned with our business objectives.

– Raghavendran Venkatraman, principal cloud network engineering manager, Microsoft Digital

As we continue to transform and adapt our global cloud networking environment, we remain committed to being Customer Zero for Azure cloud networking, expanding our network footprint, adopting new network services, and enhancing network automation and intelligence. By doing so, we aim to deliver a world-class network experience for our customers, partners, and employees.

Venkatraman sees a bright future for Microsoft’s cloud networking.

“The possibilities with Azure are endless. We’re just scratching the surface of what we can achieve. We aim to continue pushing the boundaries of cloud networking, making it more intelligent, automated, and even more aligned with our business objectives.”

Consider the following takeaways to help your organization begin or continue its cloud networking journey:

Embrace cloud networking for business agility. Adopting cloud networking transforms the approach to connectivity, driving business agility and innovation.
Use software-defined networking. Use infrastructure as code to deploy and manage a flexible and scalable network infrastructure rapidly.
Innovate with Azure Virtual WAN. Use Azure Virtual WAN for high-performance, secure, and reliable global connectivity.
Automate for efficiency. Implement automated testing and configuration management to streamline network management and deployment.
Monitor for success. Apply robust monitoring and observability practices to maintain the health of the network infrastructure.