- Communications and security boundary
- Provides network isolation and segmentations
- Enables Azure resources to communicate with each other securely
- E.g. VM's, storage accounts, App Service apps, Azure SQL database instances
- Uses Azure network backbone
- Communications are internal by default unless you explicitly make it external
- Name resolution
- Azure-provided DNS
- DNS service
- Traffic filtering
- NSGs
- Network Virtual Appliances
- ❗ 50-100 VNets allowed per subscription
- ❗ A resource can only be created in a virtual network that exists in the same region and subscription as the resource.
- Why multiple VNets?
- Saving money
- Service chaining: Share a network virtual appliance among several VNets
- Segmenting workloads
- NSGs and UDRs give you routing and traffic control
- E.g. hub and spokes
- Securing traffic
- Private connectivity that uses the Microsoft backbone network
- Saving money
- Moving a VNet
- ❗ When moving a virtual network, you must also move its dependent resources
- For VPN Gateways
- You must move IP addresses, virtual network gateways, and all associated connection resources.
- 💡 Local network gateways can be in a different resource group.
- For VPN Gateways
- To move a peered virtual network, you must first disable the virtual network peering
- ❗ You can't move a virtual network to a different subscription if the virtual network contains a subnet with resource navigation links
- For example, if an Azure Cache for Redis resource is deployed into a subnet, that subnet has a resource navigation link.
- ❗ When moving a virtual network, you must also move its dependent resources
- You can link app services, storage accounts, VM's
- Provides traffic isolation and segmentation
- Runs on Azure backbone network
- Configure communication with Internet
- 💡 Ensure only VMs that need public IP addresses get one.
- You need to link VNets together to allow communication
- Control traffic flows into the VNET, within the VNET, and between VNets.
- Have IPv4 address space
- Uses CIDR block of private RFC 1918 addresses that are not publicy/internet routable themselves
- VNets are divided into subnets
- E.g. in multi-tiered application, web-tier, business-tier, data-tier
- Good for protecting access using NSGs
- Good for having jumpbox and protecting who can connect to jump-box
- E.g. in multi-tiered application, web-tier, business-tier, data-tier
- Create subnets based on workloads
- E.g. all of your web front-ends will have similar access requirements, then you can bind NSG's on subnet level.
- Bind NSGs at the subnet level
- Not good to bind at VNet level for better troubleshooting
- Deploy a network virtual appliance (NVA) and user-defined routes (UDRs) to further customize traffic.
- Virtual appliance (NVA)
- E.g. enterprise grade firewall appliance, load balancer appliance
- They exist in Azure marketplace
- They'll be installed in VNet as a VM
- User defined routes (UDRs)
- Customize and control routing in a VNet
- Virtual appliance (NVA)
- Implement site-to-site or point-to-site VPN tunnels with on-premises environment
- You can use ARM templates e.g. from Github.
- Visual Studio is recommended for editing templates
- During deployment:
- Name: Must be unique
- Subnet: Default gives you one subnet, for more you can use ARM template or PowerShell/CLI
- DDoS protection
- Microsoft publishes their datacenter public IP address
- Bad actors run port-scanners on those IP addresses all the time
- Service endpoints
- Allows you to integrate Azure PaaS services
- After deployment:
- Address space
- You cannot edit
- You need to create new and delete old one.
- Subnets
- You can always add new subnets & deploy gateway subnet that'll be used by an Azure gateway.
- DNS server
- Default is azure provided
- You can use custom by additional DNS servers
- Affect all VMs
- Still uses Azure DNS when necessary
- Used when e.g. site-to-site or point-to-site connections, it'll affect all VMs.
- Diagram
- You can enable network watcher here.
- You then load in subscription or RG and enable.
- It shows topology
- Address space
- Stateful firewall for inbound and outbound traffic
- Stateful = 5-tuple hash
- Source + destination IP and ports
- Protocol
- Stateful = 5-tuple hash
- Has default rules
- Augmented rules
- Allow you specify list of IP-addresses
- No need to create several rules for same list
- Service tags
- Azure defined named IP address endpoints
- E.g. Internet, VirtualNetwork, AzureLoadBalancer, AzureTrafficManager, Storage, SQL, AzureCosmosDB, AzureKeyVault.
- Allows you to use names instead of IP addresses
- Application Security Groups (ASGs)
- Custom (user-defined) logical identifiers
- You can associate IP ranges and then use it as source/destination in NSG's.
- E.g. WebServer, WappServers, DbServers
- Can be bound to VNets, subnets or NICs
- 💡 Bind to subnets
- Security rules
- Priority: Lower the number, higher the priority of the rules
- If a VM doesn't need a public IP address (PIP), then don't assign one and use an Azure load balancer instead.
- Plan your VNet private address space to avoid overlap.
- Different from on-premises
- Different from other VNets in Azure
- Never configure networking from within the VM
- Do it on Azure instead using Azure abstractions
- Assigned to a single subnet.
- Have a public or private IP that's dynamic or static.
- IP forwarding
- E.g. if you have network appliance and you want to give it ability to forwar traffic that's not destined for itself