It’s clear that AI brings immense value to our IT infrastructure.

“This is a fascinating time to be working in IT,” Sherwood says. “We’re using AI across all of our services, and now we get to take that investment to the next level. Now it’s all about seeing what we can do with it.”

Aligning IT infrastructure innovation with the rest of the organization

The strategy for AI transformation in core IT infrastructure is one part of a larger vision for the impact of AI across all of Microsoft Digital.

“The potential for transformation through AI is nearly limitless,” says Natalie D’Hers, corporate vice president of Microsoft Digital. “We’re evaluating every service in our portfolio to consider how AI can improve outcomes, lower costs, and create a sustained competitive advantage for Microsoft and for our customers.”

We’re hyper-focused on our employee experience, and AI will be instrumental in shaping the future of how Microsoft employees interact with customers, the organization, and each other.

Transforming and securing our network and infrastructure

AI holds enormous potential across all of Microsoft Digital, but within IT infrastructure, the benefits of AI-enabled transformation play out across several specific pillars where we’re focusing our efforts: Device management, network infrastructure, tenant management, security, and the IT support experience.

Security

We can’t transform without adequate security. Properly implemented security controls and governance provide the secure foundation on which our engineering teams build solutions, and that security is especially relevant as we incorporate AI into our services and solutions.

Securing our network and endpoints is imperative, and our Zero Trust Networking efforts across our IT infrastructure provide essential protection against threats to our network security. AI will enhance the security and compliance of these efforts in our cloud and on-premises environments.

AI-based network assignment for devices will simplify network classification and provide more robust risk-based isolation to isolate risky devices and reduce unwanted movement across the network.

We’re automating access controls for our wired and wireless networks to improve security effectiveness. AI-infused processes for analyzing device vulnerabilities, detecting anomalous firewall traffic flow, and diagnosing other network incidents will play a critical role in our continued shift toward the internet as our primary network transport.

We anticipate that AI-supplemented capability in Microsoft 365’s multi-tenant organization feature will help us meet our ever-changing network segmentation needs by maintaining tenant separation and enabling secure tenant cross-collaboration when required.

AI will help us manage third-party app access and revolutionize how we understand user interactions with applications across managed devices or SaaS platforms. We’ll increase access efficiency and reduce costs by capturing third-party app usage and needs more accurately, using AI to determine the how, why, and when of user access.

Intelligent infrastructure

Software-defined networking and infrastructure code are already transforming how we approach networking, but AI amplifies the benefits radically.

AI enables us to build data-driven intelligence into network infrastructure, engineering, and operations. AI-driven processes will help us eliminate configuration drift, comply with security policies, reduce operator errors, and efficiently respond to rapidly changing business needs.

We’re implementing AI-driven automation to simplify resource management and deployment, capitalizing on the flexibility provided by software-defined networking and infrastructure as code.

AI will assist with generating code designs, defining and managing network configurations, managing deployments, conducting pre- and post-deployment verifications, and assisting with change management over time. Near real-time streaming telemetry from network devices will form the foundation to guide operation and continuous improvement.

We’re improving network self-healing capabilities by using AI to detect and remediate network issues, creating a more reliable, resilient, and elastic network environment and reducing human intervention and potential for error.

One of our current projects is creating an AI-based assistant app for our direct engineering teams that mines and analyzes our current network infrastructure catalog, providing an advanced set of capabilities that supplement our engineers’ expertise in the field. The assistant app improves productivity and mitigation time for network infrastructure incidents. The AI component is trained on more than 200,000 prior incidents for anomaly detection and predictive analytics. We’re confident it will lead to a considerable reduction in network outages and maintenance costs.

Device management

With more than 1 million interconnected devices, AI-powered capabilities will significantly benefit our device management practices with a focus on user and administrator workflows.

We’re implementing intelligent device recommendations to ensure our employees have the best tools to do their work. Building AI into a centralized device lifecycle management tool will create efficiencies in procurement, tracking, and responsible device recycling.

We’re designing AI-powered predictive maintenance and intelligent troubleshooting to reduce device-related issues significantly. AI-enabled device maintenance schedules and tasks will automate the device management process and reduce the load on our IT help desk by correcting device issues before they become user problems, reducing device-related helpdesk incidents.

Across our vast scope of device management, many alerts and tickets contain information or fixes that our helpdesk engineers can use in other situations. We’re employing AI to generate device insights by analyzing a massive set of signals, including device configurations, network traffic, vulnerabilities, and user behavior. These insights will power more informed decisions across the device management portfolio, including device replacement, software updates, and capacity increases.

We have more than 100,000 IoT devices on our corporate network. AI-automated IoT device registration will create more robust and efficient IoT device management, tracking, and security.

AI and machine learning will help us to perform aggregated meetings and call data for device monitoring across personal devices, Microsoft Teams meeting rooms, networks, IoT devices, and Microsoft 365, improving and safeguarding the user experience.

Tenant management

Our cloud tenants in Microsoft Azure, Microsoft 365, Dynamics 365, and the Power Platform are among those platforms’ largest and most complex implementations. Our internal implementation includes more than 205,000 Microsoft Teams, 534,000 SharePoint sites, 430,00 Microsoft Exchange mailboxes, 93,00 Power Apps, 5,000 Viva Engage communities, and a massive 25,000 Microsoft Azure subscriptions.

It’s a lot to manage, and AI will improve how we do it.

In tenants of our size, unmanaged assets can lead to unnecessary costs. Our asset compliance and lifecycle management processes will include an AI-powered compliance assistant that informs tenant users and owners, recommends assets for deletion, and proactively identifies areas of high risk for the tenant. Through the assistant, tenant admins gain an all-up view of compliance status and can investigate and resolve issues more granularly.

AI is also simplifying and streamlining our license management processes. We adhere to precise rules and regulations, which result in complex access scenarios across different countries and regions. AI will bolster our ability to detect and remediate non-compliant tenants amidst this complexity.

IT support

We’re poised to transform how Microsoft employees interact with our support services using generative AI.

Our employees interact with Microsoft support services in a complex, global hybrid environment. Our self-help solution using Microsoft Azure OpenAI will enable contextual and human-like conversation and support in the employee’s local language. Our chat and incident summarization tools will use AI to summarize incidents and provide context when assisted support is necessary.

We’re infusing our support ticketing systems with AI capability for forecasting support requirements and proactively checking the health of devices to reduce issues and improve resource planning and response times.

Transforming our IT infrastructure as Customer Zero

As Customer Zero for Microsoft, we pilot and deploy new products and capabilities in our IT infrastructure before releasing them externally. Our scale, size, and knowledge of our products and services enable us to envision connected experiences across large enterprises, manage complex combinations of product use cases, and engineer solutions on top of our product platforms.

AI improves our role as Customer Zero by accelerating insights and improving time-to-value. We’re using AI capabilities to capture, review, analyze, and report on the most important and actionable insights from the Customer Zero experience. We’re also using AI to redevelop processes, regulatory compliance, security reviews, and deployment practices within the Customer Zero environment.

Looking forward         

It’s almost impossible to envision a future for corporate IT infrastructure without AI. Our active planning for AI in our infrastructure is continually evolving, and we’ve only just begun our implementation. We’re positioning Microsoft to be a catalyst for innovation, and we’re committed to innovating with AI to streamline our IT operations.

“We will continue to infuse AI into every dimension of our enterprise portfolio,” Sherwood says. “We’ll continue to identify new opportunities for building AI-powered applications and services that improve how we deliver IT services to the company.”

By showcasing our progress with AI capabilities, we aim to transform our approach to AI internally here at Microsoft and to fuel a similar transformation across the IT sector.

Here are four important steps you can take to transform your IT infrastructure with AI:

• Make device handling smarter with AI. Use AI to manage all devices better, helping to fix problems before they affect people and easing the workload for your IT team.
• Use AI to improve the network. Integrate AI into the network system to make it more intelligent and more adaptable, which helps reduce downtime and facilitates faster and easier changes.
• Manage cloud services better with AI. AI can help keep track of cloud services, ensuring everything is used properly and securely.
• Boost security and helpdesk with AI. Enhance safety and helpdesk services using AI, leading to better network protection and quicker, more effective support for employees when they need it.

Click here for a free trial of Entra ID (formerly Azure Active Directory) to unlock Microsoft 365 Copilot and other digital transformation tools.

• Discover moving Microsoft’s global network to the cloud with Azure.
• Unpack reinventing Microsoft’s employee experience for a hybrid world.
• Explore deploying Microsoft 365 Copilot internally at Microsoft.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Transforming Microsoft’s enterprise IT infrastructure with AI appeared first on Inside Track Blog.

“In the early stages, migrating on-premises resources into Azure was our priority, and low-bandwidth dedicated links provided connectivity between on-premises networks and Azure,” says Raghavendran Venkatraman, a principal cloud network engineer at Microsoft Digital (MSD), Microsoft’s internal IT organization. “Over time, these links evolved into high-bandwidth shared connections, providing greater flexibility and capacity.”

As new networking features were released on Azure, the Microsoft Digital cloud networking team embraced these innovations with enthusiasm and a Customer Zero mindset. This approach led to a continuing transformation of our network architecture and an ongoing partnership with the Azure product team.

We transitioned to a high-bandwidth model to support our connectivity needs between Azure and on-premises resources, integrating with the native Azure security features. That gave us a robust framework that reduced our reliance on on-premises hardware and third-party devices.

Now, we find ourselves at an inflection point in this journey.

Our line-of-business applications have successfully transitioned to Azure. Our product development environments, previously exclusively on-premises, have matured into hybrid configurations that seamlessly blend on-premises and cloud resources. Additionally, many of our labs have moved to the cloud. Almost 98 percent of Microsoft’s IT infrastructure is hosted in Azure.

However, we need to go further back to understand the complete story.

Long before we deployed our very first Azure tenant or created a virtual network, the Microsoft global network had its humble beginnings more than 40 years ago, supporting connectivity for a handful of employees in a single building in Redmond, Washington.

Our global network has since grown to include more than 180,000 employees working in more than 180 countries and regions worldwide. Our global network is critical for our business operations and is at the center of our architecture design, engineering principles, and security posture. This global network connects our offices and data centers and has been our employees’ launching pad from the corporate network to the cloud.

“There is a critical facet of our organization’s network that has yet to embrace the cloud’s transformative capabilities fully,” Venkatraman says. “Our global network and enterprise services still depend on third-party solutions. These services include vital components such as DNS, remote access, internet edge, and connectivity between our regional Microsoft locations.”

Migrating our enterprise network services to the cloud supports the shift toward modern, agile IT operations. It enables us to respond swiftly to the changing demands of our users and the technological landscape. Using Azure helps us future-proof our infrastructure, ensuring it remains adaptable and resilient in the face of ongoing change.

—Raghavendran Venkatraman, principal cloud network engineer, Microsoft Digital

[Read our ongoing series on moving our network to the cloud.]

Why move global network connectivity to the cloud?

We’re migrating these essential global network services to the cloud. This shift aligns our network architecture with Microsoft’s cloud-first mindset. It enables our network engineers to use the extensive capabilities of Azure, offering greater agility, scalability, and resilience for our network and services.

The journey to migrating these enterprise services isn’t just about technology evolution. It’s about aligning our infrastructure with our vision for the future. It’s about harnessing the power of the cloud to usher in a new era of efficiency, security, and agility at Microsoft.

“Migrating our enterprise network services to the cloud supports the shift toward modern, agile IT operations,” Venkatraman says. “It enables us to respond swiftly to the changing demands of our users and the technological landscape. Using Azure helps us future-proof our infrastructure, ensuring it remains adaptable and resilient in the face of ongoing change.”

Azure offers a comprehensive array of defense-in-depth security features and services, including built-in encryption, DDoS protection, Microsoft Defender for Cloud, network security groups, application security groups, and secure secrets management with Azure Key Vault. Our migration ensures that we continue to meet the highest standards of security and data protection, a critical aspect of our operational excellence.

There are several compelling advantages to embracing Azure as a core network provider. It provides unmatched scalability, high reliability, and exceptional agility. These factors contribute to building a cost-efficient infrastructure that can adapt to our evolving needs.

—Raghavendran Venkatraman, principal cloud network engineer, Microsoft Digital

Azure offers more than 60 regions worldwide to deploy and host Azure resources. These regions are connected by a resilient backbone network connecting continents, regions, and cities. It offers a comprehensive suite of features to support enterprise network operations in the cloud.

The primary directive of our migration to the cloud is to transition our global enterprise network traffic from third-party and on-premises network resources to the global Azure backbone, taking advantage of the vast array of benefits that the Azure backbone network offers our workloads.

Connecting and supporting Microsoft’s global network with Microsoft Azure.

“There are several compelling advantages to embracing Azure as a core network provider,” Venkatraman says. “It provides unmatched scalability, high reliability, and exceptional agility. These factors contribute to building a cost-efficient infrastructure that can adapt to our evolving needs.”

Our shift to the cloud as our primary network represents an opportunity for us to harness the full potential of Azure, and it aligns seamlessly with our commitment to delivering efficient, reliable, and agile services, not just for our internal needs but also for our partners and customers.

By acting as Customer Zero and embracing these Azure features and network services for our core needs, we want to set new benchmarks for efficiency and performance and demonstrate the full extent of Azure’s capabilities.

How we’re migrating our network to Azure

Shifting Microsoft’s global network and enterprise services to Azure involves transforming and improving the paths that shape our network traffic flow. “We’re moving essential services such as DNS, remote access, and the internet edge out of on-premises and third-party solutions and into Azure-native services and functionality,” Venkatraman says.

We aim to create a more agile, resilient, and stable global virtual wide area network (VWAN) that supports all our enterprise traffic. By hosting our core network in Azure, we’re placing our employees as close as possible to the network and cloud resources they need.

Within our global VWAN, the vast majority of our employees will be transferred to a remote, internet-first connectivity method, making the internet their first connection point and placing them in close network proximity to the nearest Azure region, where most of our IT resources reside. Simultaneously, we’re transitioning regional offices to connect with our corporate environment directly through Azure, supplemented by a local internet edge. This replaces the conventional centralized edge for that region and creates a more efficient path to each location, improving efficiency and increasing performance.

We’re improving automation and agility by adopting software-defined networking practices natively available in the cloud and taking a continuous integration/continuous deployment (CI/CD) approach to building our VWAN-based network infrastructure. This results in quick and reliable delivery of changes to network services and enables us to match the increasing pace of technology change in the marketplace.

Understanding the benefits of an Azure-based global network

Transitioning our enterprise services to the cloud is a pivotal milestone in our ongoing journey to transform and enhance our network infrastructure and organization. This strategic shift offers remarkable advantages that profoundly impact our operations, scalability, and efficiency.  These benefits include:

• Highly available network infrastructure. By embracing the cloud, we gain access to a network infrastructure with built-in reliability and availability. This ensures seamless connectivity and service delivery to our employees and customers.
• Data center footprint reduction. Our line-of-business applications have successfully migrated to virtual data centers hosted on the cloud. This evolution minimizes our reliance on traditional on-premises data centers and opens doors to a more agile and scalable approach.
• Cloud-native enterprise services. We’re moving core enterprise services to the cloud, aligning our operations with the modern digital age. This transition streamlines our services, enhancing their efficiency and accessibility.
• Maximized usage of cloud resources. As Azure continues to evolve and offer innovative features, our migration to the cloud allows us to capitalize on the full potential of these advancements, keeping us at the forefront of technological progress.
• Strategic advancements and the seamless integration of Microsoft Entra. Azure networking increases our capability to migrate enterprise services to the cloud. This strategic movement includes integration with Microsoft Entra, which enables us to prioritize security. We’re using Entra integration to minimize public-facing exposure, exercise tight control over incoming traffic, and implement dynamic onboarding processes to deploy network services.
• A reference architecture for our customers. The transition underlines our commitment to the cloud, providing a reference architecture that communicates Microsoft’s commitment to delivering enterprise-class products and using those products to run our own organization.
• Cost-efficient infrastructure. Cloud migration empowers us to build an infrastructure that is not only cost-efficient but also highly agile and scalable. We can optimize resource utilization, ensuring we pay only for what we consume.
• Reduced third-party dependency. As we bring more services in house through the cloud, we can optimize our reliance on third-party solutions. This consolidation enhances our control, security, and cost-effectiveness. One of the biggest benefits is that we will have less of a need to sign and be constrained by multi-year contracts with third-party providers.
• Infrastructure that is secure by design. The cloud’s security features, combined with our robust in-house practices, create a secure-by-design infrastructure. This enhances the protection of our services and data.
• Hybrid management possibilities. Our hybrid approach integrates the management of on-premises and cloud resources. This approach ensures a unified, efficient, and effective way of managing our entire infrastructure.
• DevOps-integrated infrastructure as code (IaC). We’re embracing a DevOps culture and integrating IaC principles into our operations. This approach automates deployment and configuration, streamlining our workflows and ensuring rapid and reliable delivery of changes.
• Built-in reliability and resiliency. The global Azure network provides a highly redundant backbone. By using this architecture, we enhance the reliability and availability of our global services without requiring extra management or deployment.
• Enhanced scalability. The extensive bandwidth and capabilities of Azure provide enhanced scalability and position us strategically to drive AI innovation. Our network’s ability to rapidly adapt to varying workloads and accommodate future growth enables us to align with Azure Copilot capabilities. The natively available data telemetry enables us to integrate with Azure AI offerings, fostering an agile environment that keeps pace with the rapid evolution of AI innovation within our organization.

Moving forward

Moving our global enterprise network services to the cloud is a transformative move that aligns with our mission to optimize the full potential of Azure and embrace modern, cloud-native practices.

“Transitioning enterprise services to the cloud is a transformative move that aligns with our mission to optimize the full potential of Azure and embrace modern, cloud-native practices,” Venkatraman says. “This transition represents a major step toward a more efficient, scalable, and secure future, embodying our commitment to innovation and technological excellence.”

As we migrate our global enterprise network services to Azure, we’re continually examining and integrating newly released Azure capabilities. This approach supports our vision for combining efficiency, resilience, and agility to enable our employees and organization to achieve more. It sets the stage for a future in which our network and services are more adaptable, efficient, and secure than ever before.

Here are some tips for getting started on moving your network to the cloud:

• Embrace cloud transition proactively. Assessing and acting on the potential of cloud infrastructure can lead to increased agility, scalability, and cost-effectiveness.
• Prioritize security and compliance. A secure-by-design infrastructure is vital for protecting services and data and maintaining stakeholder trust.
• Adopt a hybrid management approach. A hybrid configuration that blends on-premises and cloud resources offers a unified, efficient way of managing infrastructure, balancing the strengths of both environments.
• Integrate DevOps and automation practices. Continuous integration/continuous deployment (CI/CD) and infrastructure as code (IaC) principles streamline workflows, ensuring rapid and reliable delivery of changes and optimizing resource deployment.
• Stay updated and adapt. As cloud platforms evolve, re-evaluate and adjust your cloud strategy to remain at the forefront of technological progress.

Simplify your moving your network to Azure with Microsoft Azure Migrate.

Try creating and modifying a circuit with Microsoft Azure ExpressRoute.

Read our ongoing series on moving our network to the cloud.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Moving Microsoft’s global network to the cloud with Microsoft Azure appeared first on Inside Track Blog.

In the modern workplace, Microsoft employees access their work from diverse locations. To ensure secure and efficient connectivity to cloud and on-premises resources for our global workforce, we’re adopting Azure Virtual WAN (VWAN) in conjunction with enterprise-scale security solutions.

Our enterprise-scale security solutions are vital in authenticating remote users across Azure and on-premises resources, enabling seamless service-to-service authentication. Our approach creates a more robust and reliable environment by removing interdependencies between network services and physical locations. Through strong authentication enforcement and role-based access control, our security solutions are tailored to support deployments at an enterprise scale.

We’re evolving remote access for our employees by migrating our remote and VPN access infrastructure to a modern, cloud-based solution using Azure VPN and Azure VWAN. Our new solution accommodates evolving security requirements and scales to support the changing demands of our remote workforce. This transition improves our security posture and enhances the overall efficiency of our remote access infrastructure, aligning seamlessly with our commitment to scalable and secure solutions for our global workforce.

Moving to the Azure-based solution allows us to support all remote access users with the Azure VPN client. This unified approach creates a simplified user experience and performs better for remote employees than our previous solution.

Our solution’s core is Azure Virtual WAN, a networking service that combines many networking, security, and routing functionalities to unify Azure and on-premises networking capability into a single operational interface.

Azure VWAN supports site-to-site, point-to-site, and private connections between Azure and on-premises users and resources using ExpressRoute, Azure VPN, Azure Firewall, and advanced routing configuration. The hub and spoke architecture of Azure VWAN provides enterprise scale and performance from cloud-hosted Azure VWAN hubs in Azure regions across the globe. Using the globally distributed Azure public cloud infrastructure, we can quickly deploy a global transit network architecture for our entire enterprise, supporting instant connectivity from the closest Azure VWAN Hub to any on-premises network endpoints.

Using the Azure VPN client and integrated VPN support built into Azure VWAN, our employees connect to the closest regional hub, securely and efficiently integrating them with Azure VWAN and our global corporate network. Currently, Azure VPN is selectively deployed for specific use case scenarios. It doesn’t serve as the default network access now, but its versatility allows for such a role, and we plan to use Azure VPN as the default remote access solution soon.

Using Azure VWAN and Azure VPN to manage our global network and remote access has resulted in many improvements to our wide area network architecture and the employee experience when using the network.

We’re using infrastructure as code (IaC) to deploy and scale our VPN capacity, enabling us to quickly accommodate and host over 100,000 users. Our ongoing efforts include onboarding all Microsoft employees to Azure VPN.

Protecting intellectual property is paramount for Microsoft. Our solution provides a highly secure environment through Azure VPN, using industry-standard encryption protocols and advanced security features. This ensures that all data transmitted between employees and resources in Azure or on-premises remains confidential and protected from unauthorized access.

Our architecture is designed to scale seamlessly as the user base grows. With the inherent scalability of Azure Virtual WAN, we can accommodate additional users and network resources without compromising performance. This flexibility ensures that Microsoft can support its expanding workforce without sacrificing connectivity or user experience.

Our network build process uses IaC principles to create a highly adaptable, robust, and reliable network environment. Our deployment templates and resource modules—created using the Bicep language—define the desired state of our VWAN infrastructure in a declarative manner. Following Microsoft best practices, we maintain a central Bicep template that invokes distinct modules—also defined in Bicep—to instantiate the necessary resources for deployment. This modular framework allows us to be flexible and accommodate new changes or requirements by applying various deployment patterns. For more information, visit Deploying a VWAN using infrastructure as code and CI/CD.

Our solution offers centralized management and monitoring capabilities, enabling our support ecosystem to manage our VPN infrastructure efficiently. Our security team can easily configure VPN settings and management using Azure Dashboard, allowing them to monitor usage patterns in a smart way. This centralized control ensures streamlined administration and effective troubleshooting.

We design the user experience to maximize productivity. Our solution optimizes network connectivity, relying on a global profile to minimize latency and allow employees to access hosted resources seamlessly from anywhere in the world. This eliminates barriers to productivity and empowers users to collaborate efficiently, irrespective of their geographic location.

Intellectual property protection often involves compliance requirements. Our solution adheres to industry best practices and relevant regulations to ensure that we meet necessary compliance standards. This includes data privacy, access controls, and auditability, providing peace of mind that intellectual property is handled in a secure and compliant manner.

We’re excited about the successful enterprise-scale deployment of our Azure Virtual WAN and Azure VPN-based solution. This deployment increases our ability to safeguard intellectual property while seamlessly supporting the connectivity needs of Microsoft employees. We remain committed to supporting the internal networking needs of Microsoft and ensuring secure and seamless connectivity as our organization grows.

Contact us today to explore how our solutions can help protect your intellectual property, enable remote access at scale, and provide a robust and secure network infrastructure tailored to your organization’s unique requirements.

• Migrate to a cloud-based VPN solution. Transition your VPN and remote access infrastructure to Azure VPN and Azure VWAN for a more scalable and secure remote access solution.
• Leverage Infrastructure as Code for network management. Adopt infrastructure as code (IaC) using the Bicep language to efficiently manage and scale your network infrastructure, allowing for flexible and rapid deployment.
• Plan for scalability and user growth. Ensure your network architecture is designed to scale seamlessly with Azure Virtual WAN, accommodating additional users and resources without sacrificing performance.
• Centralize management and monitoring. Use centralized management and monitoring tools, such as the Azure Dashboard, to efficiently administer VPN settings and manage network usage.

Get started with Azure VWAN with routing intent and routing policies at your company.

• Check out our full series on moving our network to the cloud. 
• Learn more about Azure Virtual WAN.
• Get more insight on how Azure VPN Gateways work.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Deploying global remote VWAN connectivity with Azure VWAN and Azure VPN appeared first on Inside Track Blog.

At Microsoft, our support, escalation, and customer engineers help Microsoft with solution troubleshooting, implementation assistance, integration walkthroughs, and many other complex support needs.

Our Microsoft Digital (MSD) team created a virtual lab tool named MyWorkspace to help our engineers accurately replicate customer environments using cloud-based resources in Microsoft Azure so they can provide contextual troubleshooting and support. Recently, we developed the MyWorkspace network management service to reduce the complexity of deploying and managing network environments that host MyWorkspace virtual labs.

Using the capabilities of Azure Firewall, Azure Container Apps, Azure Service Bus, and the flexibility of infrastructure as code (IaC), the network management service enables MyWorkspace to provide a catalog of instantly deployable network topologies and management strategies for virtual labs. The service optimizes the deployment, performance, security, and usability of virtual lab network environments in Azure, creating a seamless experience for our engineers and contributing to an excellent customer support experience.

Using infrastructure as code for automation and consistency

Maintaining a catalog of network topologies is crucial to MyWorkspace’s functionality because our support engineers’ needs vary based on their customer support scenarios. Using the network management service, MyWorkspace provides pre-defined templates created by the MyWorkspace team and validated by MSD security teams. MyWorkspace uses these templates to dynamically deploy network infrastructure for virtual lab environments.

By using Azure Resource Manager and Bicep templates, all network topologies are deployed and configured as IaC. The templates for these network topologies can be developed, tested, and updated independently, ensuring their functionality, usability, and reusability before being uploaded to the catalog.

Creating dynamic networks with Azure Firewall and hub and spoke topology

When deploying network templates, hub and spoke architecture is the foundational topology for the MyWorkspace network management service. This design facilitates network isolation by centralizing control, segmenting traffic, and enhancing security through Azure Firewall—located within the hub virtual network. A hub and spoke model provides the following benefits in our environment:

• Simplified management. A central hub simplifies management tasks, including traffic flow control, network policy management, traffic monitoring, and security measures enforcement.
• Integrated scalability. The hub and spoke model inherently supports scalability. With virtual network peering, up to 500 distinct virtual networks can be connected to the virtual network hub.
• Optimized resource usage. We can ensure efficient resource use by centralizing services and resources in the hub, such as removing peerings for unused virtual networks.
• Improved troubleshooting. Centralized traffic flow makes identifying and troubleshooting network issues easier, enhancing network reliability.
• Data security compliance. The hub and spoke model inherently enforces strict traffic segmentation, aiding in compliance with data security requirements and regulatory standards.

Azure Firewall serves as the central element in our hub and spoke network. By using Azure Firewall for traffic flow control and segment isolation, we gain several benefits, including:

• High throughput. With a throughput capacity of 100 gigabits, the Premium tier of Azure Firewall ensures that the network can handle even the most demanding workloads without compromising performance.
• Advanced security. The built-in transport layer security (TLS) inspection and intrusion detection capabilities provide an additional layer of security, ensuring that malicious traffic is detected and thwarted before it can harm the network.
• Direct API calls. Using the Azure Firewall API in Azure CLI, Azure PowerShell, .NET, and additional languages enables us to deeply integrate Azure Firewall functionality into our automation framework.

Our team has worked closely with the Azure Firewall product team as Customer Zero—using Microsoft products internally within MSD. As a result, we’ve been able to provide feedback and use cases that the product team could use to improve features and functionality for Microsoft customers.

The partnership between MyWorkspace and the Azure Firewall Product team has been truly transformative. MyWorkspace’s role as an early adopter, serving as Customer Zero, has been instrumental in refining the product for external users.

—Varun Anantharaman, senior product manager, Azure Firewall product team

We’ve also pioneered new use cases for Azure Firewall, including NGINX server integration with Azure Firewall in the MyWorkspace network management service. This integration has brought flexibility to the network architecture, enabling the team to seamlessly support more inbound network flows.

With Azure Firewall’s seamless integration with Azure services, built-in high availability, automatic scaling, and robust logging and monitoring, it stands out as the primary choice for securing infrastructure.

“The partnership between MyWorkspace and the Azure Firewall Product team has been truly transformative,” says Varun Anantharaman, Senior Product Manager for the Azure Firewall product team. “MyWorkspace’s role as an early adopter, serving as Customer Zero, has been instrumental in refining the product for external users.”

Reducing cluster complexity with Azure Container Apps

To build the MyWorkspace network management service, our team required an Azure hosting service that would reduce the need for infrastructure configuration and allow developers to focus on code delivery. After analyzing the various options, we chose Azure Container Apps. Built on Kubernetes, Azure Container Apps abstracts the underlying cluster infrastructure, allowing configuration and management using simplified IaC and continuous integration and delivery (CI/CD) deployment methods for rapid resource deployment.

We use the auto-scaling feature of Azure Container Apps to create simplified scaling rules based on events like HTTP requests, CPU usage, or queue message counts. With IaC, these scaling rules can be configured to accommodate microservice needs.

Azure Container App costs are tracked at the individual resource level, making it easier to understand and manage overall expenses. Since each Azure Container App is deployed as a separate microservice unit, scaling rules can be configured to place containers in an idle state during low resource use to reduce cost.

Enabling just-in-time access control with Azure Service Bus

Security and governance are crucial for creating more secure and compliant environments for our support engineers. We use just-in-time (JIT) access to grant temporary access to virtual lab environments for authorized users for a limited time. JIT access improves security and avoids persistent access to deployed network infrastructure. JIT sessions have a minimum duration of 1 hour and a maximum of 10 hours.

We’re using Azure Service Bus scheduled messages to track the precise expiration of these sessions. With scheduled messages, we calculate the desired expiry time for each virtual lab session and schedule a message using the expiry time using the Message API.

Azure Service Bus automatically activates the scheduled message when the scheduled expiration time arrives. This message triggers the session deactivation microservice listening to the Service Bus for messages.

Using Azure Service Bus decreases complexity by removing the need for custom messaging code or session tracking logic in each microservice component. It also allows for precise deactivation of JIT sessions at the exact moment they expire.

Service Message Bus supports instant scalability to accommodate increased workload without decreased performance. It also efficiently handles messaging by sending and processing messages only when they’re due, without requiring dedicated resources or continual open polling.

The network management service uses Azure technology to provide a compliant and efficient software as a service (SaaS) solution for deploying network topology in MyWorkspace. This helps us deliver a virtual lab environment to more than 18,000 Microsoft employees that’s secure by design, optimizes user productivity, eliminates hardware costs, and provides good stewardship over Azure resources.

• Adopt infrastructure as code: Use Azure Resource Manager and Bicep templates to deploy and maintain your Azure resources efficiently and consistently.
• Take advantage of hub and spoke architecture. Implement a hub and spoke network model in Azure to benefit from simplified management, integrated scalability, and enhanced security.
• Maximize Azure Firewall capabilities. Explore the advanced features of Azure Firewall—like the Premium tier’s high throughput—for efficient traffic flow control and enhanced network security.
• Implement JIT access with Azure Service Bus. Improve security by enabling just-in-time access controls using Azure Service Bus scheduled messages for precise session tracking.
• Simplify microservice infrastructure with Azure Container Apps. Use Azure Container Apps to abstract Kubernetes cluster infrastructure and employ auto-scaling features for optimal resource utilization.

Try deploying your resources with PowerShell and Bicep.

• Read the first blog in our “Moving our network to the cloud” series.
• Read the second blog in our “Moving our network to the cloud” series.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Building resilient and secure virtual labs with Azure Firewall, Azure Container Apps, and Service Bus appeared first on Inside Track Blog.