You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/security/fundamentals/production-network.md
+8-9Lines changed: 8 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,16 +4,15 @@ description: Learn about the Azure production network. See security access metho
4
4
services: security
5
5
documentationcenter: na
6
6
author: TerryLanfear
7
-
manager: barbkess
8
-
editor: TomSh
7
+
manager: rkarlin
9
8
10
9
ms.assetid: 61e95a87-39c5-48f5-aee6-6f90ddcd336e
11
-
ms.service: information-protection
12
-
ms.subservice: aiplabels
10
+
ms.service: security
11
+
ms.subservice: security-fundamentals
13
12
ms.topic: article
14
13
ms.tgt_pltfrm: na
15
14
ms.workload: na
16
-
ms.date: 06/28/2018
15
+
ms.date: 03/31/2023
17
16
ms.author: terrylan
18
17
19
18
---
@@ -24,12 +23,12 @@ The users of the Azure production network include both external customers who ac
24
23
## Internet routing and fault tolerance
25
24
A globally redundant internal and external Azure Domain Name Service (DNS) infrastructure, combined with multiple primary and secondary DNS server clusters, provides fault tolerance. At the same time, additional Azure network security controls, such as NetScaler, are used to prevent distributed denial of service (DDoS) attacks and protect the integrity of Azure DNS services.
26
25
27
-
The Azure DNS servers are located at multiple datacenter facilities. The Azure DNS implementation incorporates a hierarchy of secondary and primary DNS servers to publicly resolve Azure customer domain names. The domain names usually resolve to a CloudApp.net address, which wraps the virtual IP (VIP) address for the customer’s service. Unique to Azure, the VIP that corresponds to internal dedicated IP (DIP) address of the tenant translation is done by the Microsoft load balancers responsible for that VIP.
26
+
The Azure DNS servers are located at multiple datacenter facilities. The Azure DNS implementation incorporates a hierarchy of secondary and primary DNS servers to publicly resolve Azure customer domain names. The domain names usually resolve to a CloudApp.net address, which wraps the virtual IP (VIP) address for the customer's service. Unique to Azure, the VIP that corresponds to internal dedicated IP (DIP) address of the tenant translation is done by the Microsoft load balancers responsible for that VIP.
28
27
29
28
Azure is hosted in geographically distributed Azure datacenters within the US, and it's built on state-of-the-art routing platforms that implement robust, scalable architectural standards. Among the notable features are:
30
29
31
30
- Multiprotocol Label Switching (MPLS)-based traffic engineering, which provides efficient link utilization and graceful degradation of service if there is an outage.
32
-
- Networks are implemented with “need plus one” (N+1) redundancy architectures or better.
31
+
- Networks are implemented with "need plus one" (N+1) redundancy architectures or better.
33
32
- Externally, datacenters are served by dedicated, high-bandwidth network circuits that redundantly connect properties with over 1,200 internet service providers globally at multiple peering points. This connection provides in excess of 2,000 gigabytes per second (GBps) of edge capacity.
34
33
35
34
Because Microsoft owns its own network circuits between datacenters, these attributes help the Azure offering achieve 99.9+ percent network availability without the need for traditional third-party internet service providers.
@@ -55,8 +54,8 @@ Azure implements host-based software firewalls inside the production network. Se
55
54
56
55
Two categories of rules are programmed here:
57
56
58
-
-**Machine config or infrastructure rules**: By default, all communication is blocked. Exceptions exist that allow a VM to send and receive Dynamic Host Configuration Protocol (DHCP) communications and DNS information, and send traffic to the “public” internet outbound to other VMs within the FC cluster and OS Activation server. Because the VMs’ allowed list of outgoing destinations does not include Azure router subnets and other Microsoft properties, the rules act as a layer of defense for them.
59
-
-**Role configuration file rules**: Defines the inbound ACLs based on the tenants’ service model. For example, if a tenant has a web front end on port 80 on a certain VM, port 80 is opened to all IP addresses. If the VM has a worker role running, the worker role is opened only to the VM within the same tenant.
57
+
-**Machine config or infrastructure rules**: By default, all communication is blocked. Exceptions exist that allow a VM to send and receive Dynamic Host Configuration Protocol (DHCP) communications and DNS information, and send traffic to the "public" internet outbound to other VMs within the FC cluster and OS Activation server. Because the VMs' allowed list of outgoing destinations does not include Azure router subnets and other Microsoft properties, the rules act as a layer of defense for them.
58
+
-**Role configuration file rules**: Defines the inbound ACLs based on the tenants' service model. For example, if a tenant has a web front end on port 80 on a certain VM, port 80 is opened to all IP addresses. If the VM has a worker role running, the worker role is opened only to the VM within the same tenant.
60
59
61
60
**Native host firewall**: Azure Service Fabric and Azure Storage run on a native OS, which has no hypervisor and, therefore, Windows Firewall is configured with the preceding two sets of rules.
0 commit comments