An Azure Virtual Network (VNet) is one of the foundational building blocks for your private network in Azure.
It allows Azure resources to securely communicate with each other, the internet, and on-premises networks.
Azure VNets provide isolation, segmentation, and secure communication between virtual machines (VMs), apps, and other Azure resources.
In essence, VNets provide a private, isolated network for your Azure resources to communicate within the Azure cloud environment, similar to a traditional on-premises network.
Key Features Of Azure Virtual Network
1. Private Network:
Azure Virtual Network provides isolation for your resources.
Unlike public networks, VNet traffic is routed and private within the Azure infrastructure.
VNet resources can have their own internal IP addresses and communicate with each other without exposing traffic to the internet unless explicitly configured.
2. Security and Isolation:
Network Security Groups
Network Security Groups (NSGs) can be applied to control access to and from subnets.
Azure Firewall
Azure Firewall and VPN Gateway enable secure communication between Azure VNets, on-premises environments, and external networks.
Private Link
Private Link allows you to access services (like Azure SQL Database) via private IPs, eliminating exposure to the internet.
3. Connectivity with On-Premises Networks:
Site-to-Site
Site-to-Site (S2S) VPN connections enable seamless communication between on-premises environments and Azure.
ExpressRoute
ExpressRoute provides a dedicated, private connection between on-premises infrastructure and Azure, offering better performance and reliability compared to public internet-based connections.
4. Multiple Subnets:
A single VNet can be divided into multiple subnets.
This segmentation allows you to organize and isolate resources based on specific security or performance requirements (e.g., front-end, back-end, database, etc.).
5. Scalable IP Addressing:
VNets provide flexible and scalable IP address management.
You can define your IP address space (CIDR block) and divide it into subnets.
Dynamic IP addressing is available for resources that do not require static IPs (e.g., virtual machines or web applications).
6. Peering and Shared Services:
VNet Peering allows you to connect VNets in the same or different regions, enabling resources in different VNets to communicate.
Shared Services
You can use a central VNet to provide common services (e.g., DNS, monitoring) to multiple other VNets in your organization.
7. Hybrid Connectivity:
VPN Gateway or ExpressRoute can be used to connect your Azure VNet to an on-premises data center, enabling a hybrid environment.
Virtual Network Gateways provide the interface for such hybrid solutions.
8. Azure DNS Integration:
Azure VNets integrate with Azure DNS, allowing automatic registration of DNS records for Azure resources (like VMs, App Services) within a VNet.
You can configure private DNS zones for custom domain resolution across VMs in a VNet.
9. Traffic Routing and Control:
Route Tables
Route Tables allow you to define custom routes and control how traffic flows between subnets or across different VNets.
User-Defined Routes
User-Defined Routes (UDR) can override default routes to define specific traffic paths, such as sending traffic through a network appliance (e.g., firewall or load balancer).
10. Service Endpoints and Private Link:
Service Endpoints
Service Endpoints extend your VNet's private IP address space to specific Azure services (e.g., Azure Storage, Azure SQL Database).
Private Link
Private Link provides private access to services hosted in Azure (including third-party services) over a private IP address.
11. Global Reach:
Azure supports Global VNet Peering across regions, allowing VNets in different geographic locations to securely communicate with each other.
Components Of Azure Virtual Network
Azure Virtual Networks are composed of various components that allow you to define and manage networking within your cloud environment.
These components help you configure, secure, and monitor network traffic and connectivity between your Azure resources.
1. Virtual Network (VNet)
It's the primary building block of networking in Azure.
A VNet is a logical representation of a network in Azure that defines a range of IP addresses that will be used for all the resources (e.g., VMs, Load Balancers, etc.) inside it.
A VNet allows resources within it to communicate securely and efficiently with each other, as well as with other VNets, on-premises resources, and external networks.
Key Elements:
Address Space
Defines the IP address range (e.g., 10.0.0.0/16) for the VNet.
The address space can be expanded if needed.
Subnets
Divides the address space into smaller subnets (e.g., 10.0.0.0/24) for logical segmentation.
Security and Routing
Defines Network Security Groups (NSGs) and custom routing rules for traffic management.
2. Subnets
A subnet is a range of IP addresses within a VNet.
Subnets are used to segment a VNet into smaller, more manageable parts.
Each subnet is associated with a route table and can have specific Network Security Groups (NSGs) for controlling inbound and outbound traffic.
Types of Subnets:
Public Subnet
Typically used for resources that need to be accessed from the internet (e.g., web servers, load balancers).
Private Subnet
Used for resources that should not be directly accessible from the internet (e.g., databases, internal services).
DMZ Subnet
A special subnet used for exposing certain services to external networks in a controlled manner.
3. IP Addressing
Azure Virtual Networks are based on IP address ranges (CIDR blocks).
These addresses can be used for both private and public communication.
Private IP Address
Assigned to Azure resources within the VNet for internal communication.
Public IP Address
Can be assigned to resources for access from the internet (e.g., Load Balancers, VPN Gateways, Application Gateways).
Static vs. Dynamic IPs
Azure supports both static and dynamic IP address assignment for resources.
Static IPs are used when a persistent, unchanging address is needed, whereas dynamic IPs are allocated when resources are started.
4. Network Security Groups (NSGs)
A Network Security Group (NSG) is a set of rules used to control inbound and outbound traffic to resources within a VNet.
It can be associated with subnets or individual network interfaces.
Inbound/Outbound Rules
NSGs define which traffic is allowed or denied based on source, destination, port, and protocol.
Application Layer Security
In addition to the basic NSG rules, more granular security can be achieved by using Azure Firewall or Web Application Firewall (WAF) for specific service protections.
5. Route Tables
A route table defines the way that traffic is routed between subnets and to/from external resources.
Each subnet in a VNet is associated with a route table that controls how traffic moves across that subnet.
System Routes
Azure automatically creates default routes for common services (e.g., traffic within the VNet, to/from the internet).
Custom Routes (UDRs)
You can define User-Defined Routes (UDRs) to control traffic based on specific needs (e.g., force all outbound traffic to go through a network virtual appliance).
6. VPN Gateway
An Azure VPN Gateway is a resource that allows you to connect your Azure VNet to on-premises networks via a VPN tunnel.
It provides a secure encrypted connection over the internet.
Site-to-Site (S2S) VPN
For connecting an on-premises network to Azure.
Point-to-Site (P2S) VPN
For connecting individual client machines to Azure.
VNet-to-VNet VPN
For securely connecting VNets in different regions or subscriptions.
7. Virtual Network Peering
VNet Peering enables the connection of two VNets in the same or different regions, allowing them to communicate using private IP addresses.
Peered VNets act as if they are part of the same network, but the traffic between them stays private and doesn’t traverse the internet.
Intra-region VNet Peering
Peering between VNets within the same Azure region.
Global VNet Peering
Peering between VNets in different regions, allowing resources in these VNets to communicate with low-latency and high-throughput connections.
8. Network Virtual Appliance (NVA)
A Network Virtual Appliance (NVA) is a specialized appliance running in a virtual machine in Azure.
It can be used to manage or inspect traffic, including functions such as firewalls, load balancers, and intrusion detection systems.
NVAs often require User Defined Routes (UDRs) to direct traffic through them.
9. Azure Firewall
The Azure Firewall is a cloud-native network security service that provides centralized protection to resources in Azure.
It can filter traffic at the network layer (L3/L4) and application layer (L7).
Azure Firewall supports
Application rules to filter traffic based on the URL or fully qualified domain name (FQDN).
Network rules to filter based on IP addresses, ports, and protocols.
10. Azure Load Balancer
An Azure Load Balancer is used to distribute incoming network traffic across multiple Azure resources to ensure high availability and reliability.
It supports:
Public Load Balancer
Distributes internet traffic to Azure resources.
Internal Load Balancer
Distributes traffic within a VNet.
Conclusion
Azure Virtual Network is a powerful, flexible, and scalable solution that allows you to design, manage, and control the flow of traffic between Azure resources, on-premises environments, and external networks.
With its features such as subnetting, network security, VPN connectivity, routing, and scalability, Azure VNets enable secure and efficient communication in a cloud-based environment.
By leveraging the various components of Azure Virtual Network — such as Network Security Groups (NSGs), VPN Gateways, Route Tables, VNet Peering, and Azure Firewall — you can create a highly secure, well-organized, and effective cloud network infrastructure that meets your specific business needs.
Leave a Reply to huay thai , Cancel reply