Strategy: Azure Region Peering
Executive Summary:
When selecting Azure data centers globally, we want to prioritize regions with the most extensive service availability while also ensuring that we have a presence in major geographical areas. This way, we can distribute the processing load and maintain a global presence.
Here are the core Azure Data Centers we are using
North America: East US (Virginia), East US2, and West US (California), West US2, West US3 These regions offer a comprehensive set of Azure services and are strategically located on the East and West coasts of the United States, providing good coverage for users across the country.
Europe: West Europe (Netherlands) and North Europe (Ireland), Switzerland North These regions are well-established, offering a wide range of Azure services. They cover Western and Northern Europe effectively, ensuring low latency for users in these areas. They also assist in meeting GDPR objectives.
Asia: Southeast Asia (Singapore) and East Asia (Hong Kong) These regions offer extensive Azure services and cater to users in Southeast Asia and East Asia, providing a good balance of coverage and service availability.
Australia: Australia East (New South Wales) and Australia Southeast (Victoria) Both regions cover the Australian continent effectively and offer a comprehensive set of Azure services.
South America: Brazil South (São Paulo State) This region provides good coverage for South America and offers a wide range of Azure services.
Africa: South Africa North (Johannesburg) and South Africa West (Cape Town) These regions offer a broad set of Azure services and provide coverage across the African continent.
Planning for the Global Azure Infrastructure
When planning the global Azure infrastructure, Seagen needs to evaluate some key objectives.
Latency: Ensure that our chosen data centers provide low latency to our target user base.
Service availability: Check the Azure services available in each region, as some services may not be available or may have limitations in specific regions.
Compliance and data sovereignty: Be aware of any data residency or compliance requirements for our organization or industry, and choose data centers accordingly.
Cost: Prices for Azure services can vary between regions. Make sure to consider these differences in our cost analysis.
Redundancy and high availability: Plan Seagen infrastructure to handle failover scenarios, ensuring high availability in case of a region-specific outage.
By considering these factors and selecting the appropriate Azure data centers, Seagen can effectively distribute our processing load and ensure global availability for our services.
Differences Between Peering and VPN
When connecting Seagen US-based data center to Azure data centers around the world, the choice between creating a peered Azure region or establishing a VPN connection depends on Seagen requirements and priorities.
Here’s a comparison of the two approaches to help us make an informed decision:
Peered Azure Region
Pros
Low-latency, high-bandwidth connectivity within Azure.
Seamless communication between Azure virtual networks as if they were on the same network.
Can establish private connectivity between regions without going through the public internet.
Simple setup, as we only need to configure peering between Azure virtual networks.
Cons
Limited to Azure infrastructure; it doesn’t cover Seagen on-premises data center.
VPN Connection
Pros
Connects Seagen on-premises data center to Azure data centers, extending Seagen on-premises * network to Azure.
Provides encrypted communication over the public internet, ensuring data security.
Supports Site-to-Site (S2S) VPN connections, connecting Seagen on-premises network to Azure * virtual networks.
Can be combined with Azure ExpressRoute for a dedicated, private connection.
Cons
Bandwidth is limited compared to peered Azure regions, as it relies on Seagen internet connection.
Latency is generally higher, as traffic is routed over the public internet.
VPN setup can be more complex, as it requires configuration on both the on-premises and Azure sides.
Based on Seagen requirements of connecting Seagen US-based data center with Azure data centers around the world, a VPN connection is the better choice. However, for optimal performance and a more reliable connection, we may want to consider Azure ExpressRoute.
Azure ExpressRoute is a dedicated, private network connection between Seagen on-premises infrastructure and Azure data centers. It offers higher bandwidth, lower latency, and better reliability than a VPN connection. Keep in mind that ExpressRoute comes with additional costs and requires more involved setup and management, but it may be the best solution for Seagen use case.
With normal operations and an increase of processing or compute in Europe and Asia, it makes sense for Seagen to create VPN connections and Express Routes to those regions. However, because Seagen does not have a robust roadmap for expansion to Europe or Asia as of 2023, the costs and complexity of VPN tunneling to those regions is prohibitive. As Seagen matures, we will reevaluate the need to create a tunnel.
Advantages to Peering
Using peered Azure regions has several advantages beyond the ones previously mentioned.
Traffic Isolation: Peered Azure regions use the Microsoft backbone network for connectivity, ensuring that Seagen data stays within the Azure network and doesn’t traverse the public internet. This provides better security and isolation for Seagen inter-region communication.
No Gateway Required: In peered Azure regions, there is no need for a virtual network gateway to route traffic between virtual networks. This simplifies the setup process and reduces the management overhead associated with gateways.
Scalability: Peered Azure regions can handle high volumes of traffic, making them suitable for large-scale, data-intensive applications. The throughput between peered virtual networks is only limited by the resources in the virtual networks themselves, enabling we to scale Seagen infrastructure as needed.
Cost Efficiency: With peered Azure regions, data transfer between virtual networks in peered regions has a lower cost compared to data transfer over VPN connections or ExpressRoute. By using peered regions, we can optimize Seagen inter-region data transfer costs.
Simplified Management: Managing peered Azure regions is easier because the configuration is done solely within the Azure portal or using Azure APIs. This simplifies the management process and eliminates the need for complex on-premises configurations.
Integration with Azure Services: Peered Azure regions seamlessly integrate with other Azure services, like Azure Load Balancer, Application Gateway, and Traffic Manager. This allows we to optimize and distribute traffic across regions more effectively.
Global Reach: Azure has an extensive global infrastructure, enabling we to peer virtual networks across different regions worldwide. This can help we to build a robust, geographically distributed infrastructure that meets Seagen organization’s needs.
While peered Azure regions offer many benefits, it is essential to remember that they are limited to Azure infrastructure and do not directly connect to Seagen on-premises data center. For scenarios that require connecting on-premises infrastructure to Azure, we will need to use a VPN connection or ExpressRoute.
Azure Peering Security Considerations
Azure region peering has its share of security benefits and concerns. Understanding these can help us make informed decisions about using peered Azure regions in Seagen network infrastructure.
Security Benefits
Traffic Isolation: With Azure region peering, traffic between peered virtual networks traverses the Microsoft backbone network, ensuring that Seagen data doesn’t flow through the public internet. This provides better isolation and security for Seagen inter-region communication.
Encrypted Traffic: Traffic between peered virtual networks is encrypted, providing an additional layer of security for data in transit.
Simplified Network Segmentation: Azure region peering enables we to create isolated network segments within Seagen infrastructure, limiting the scope of potential security breaches and containing their impact.
Network Security Group (NSG) support: we can apply NSGs to resources within peered virtual networks, which helps we to control inbound and outbound traffic and apply security rules at the subnet level.
Private Connectivity: Azure region peering enables private connectivity between resources in different virtual networks, reducing the exposure of services and applications to the public internet.
Security Concerns
Using Azure Peering also creates some security concerns and potential issues.
Address Space Overlap: Ensuring that there’s no overlap in IP address spaces between the peered virtual networks is crucial. Overlapping address spaces can result in connectivity issues and potential security vulnerabilities.
Misconfiguration: Incorrectly configuring peering settings, security groups, or routing rules can lead to unintended network exposure or vulnerabilities. Properly reviewing and validating Seagen configurations is essential to maintain security.
Increased Attack Surface: Peering multiple virtual networks can increase the attack surface of Seagen infrastructure, as a compromised resource in one network could potentially affect other connected networks. Implementing proper network segmentation and security controls is critical to minimize this risk.
Monitoring and Visibility: Maintaining visibility and monitoring of the interconnected virtual networks is necessary to detect and respond to security incidents quickly. Ensure that we have appropriate monitoring, logging, and alerting mechanisms in place.
By carefully considering these security benefits and concerns, we can effectively implement Azure region peering in Seagen infrastructure while maintaining a strong security posture.
Zero Trust Architecture Implications
Incorporating a Zero Trust architecture into Seagen Azure region peering design means adopting a "never trust, always verify"
approach to network security. The core principle of Zero Trust is to assume that no network, user, or device can be trusted by default, and access should only be granted after proper verification. Here’s how Zero Trust can affect Seagen Azure region peering design.
Fine-grained access control: In a Zero Trust architecture, access to resources within peered virtual networks should be granted on a need-to-know basis. This means implementing fine-grained access control using role-based access control (RBAC), network security groups (NSGs), and firewall rules.
Network segmentation: Segment Seagen virtual networks into smaller, isolated subnets to limit the scope of potential breaches and minimize their impact. By doing so, we’ll have more control over the traffic and access between different parts of Seagen network, making it easier to enforce Zero Trust principles.
Identity and access management (IAM): Authenticate and authorize users, devices, and applications before granting access to resources in the peered virtual networks. Use Azure Active Directory (Azure AD) for identity management and multi-factor authentication (MFA) to ensure secure access.
Continuous monitoring and validation: Implement continuous monitoring and validation of Seagen network configurations, access policies, and security controls. Use Azure Monitor, Azure Security Center, and Azure Sentinel to gather logs, detect threats, and respond to incidents in real-time.
Micro-segmentation: Apply micro-segmentation to Seagen network architecture, restricting communication between resources within the same virtual network. Use network security groups, application security groups, and Azure Firewall to enforce micro-segmentation.
Encryption: Ensure that data in transit between peered virtual networks is encrypted. Although Azure region peering already encrypts traffic, we can enhance security by implementing additional encryption protocols like TLS or IPSec where necessary.
Least privilege principle: Design Seagen network architecture and access policies to follow the least privilege principle, ensuring that users, devices, and applications have the minimum necessary access to perform their tasks.
Security updates and patch management: Ensure that all resources in the peered virtual networks are up-to-date with the latest security patches and updates. Use Azure Automation and Azure Policy to automate the patching process and maintain compliance with Seagen security requirements.
By incorporating these Zero Trust principles into Seagen Azure region peering design, we can create a more secure and robust network infrastructure that better protects Seagen organization from potential threats.
Conclusion
In conclusion, Seagen needs to provide line of sight to the regions where we operate. To do this we need a consistent pattern of implementation and delivery coupling those things with a good network and security design.
We have chosen to use Azure Peering due to the speed of implementation and lack of a clear roadmap of operations. This keeps the implementation simple and offers us the opportunity to reevaluate in the coming months and years to determine if we convert those peerings to VPN connections.