Skip to content

Network

Azure networking services overview.

Azure Virtual Network

Azure virtual networks (VNet) enable Azure resources such as VMs, web apps and databases to communicate with each other, with users on the internet and with your on-premises client computers.

  • Virtual Networks and subnets span all availability zones in a region. They are regional.
  • Each VNet can have up to four /16 IP ranges.
  • Subnet :
    • The address range for a subnet must be unique within the address space for the VNet.
    • The range for one subnet can't overlap with other subnet IP address ranges in the same VNet.
    • The IP address space for a subnet must be specified by using CIDR notation.
    • For each subnet, Azure reserves five IP addresses : The first four addresses and the last address are reserved.
      • The 1st value identifies the virtual network address.
      • The 2nd is configured as the default gateway.
      • The 3rd and 4th values Azure maps these Azure DNS IP addresses to the VNet space.
      • The last value supplies the virtual network broadcast address.

IP Addressing

In Azure, you can use two types of IP addresses : Public IP & Private IP addresses.
Both types of IP addresses can be allocated in one of two ways : Dynamic and Static.

NAT - Private Link - Endpoints

Azure Virtual Network NAT simplifies outbound-only internet connectivity for virtual networks. When you configure this service on a subnet, all outbound connectivity uses the specified static public IP addresses.

Outbound connectivity is possible without load balancer or public IP addresses directly attached to virtual machines.

One NAT can be associated with one or more subnets within a VNet.

VNet service endpoint provides secure and direct connectivity to Azure services over an optimized route over the Azure backbone network.

Service Endpoints enables private IP addresses in the VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

  • Configuring Service Endpoints : Configured per resource provider, per subnet.
  • System Routes : Optimal routes are addded so that all resources within a subnet use the backbone.
  • Network Security : Resource firewall rules can be configured to allow/deny traffic.

Azure Private Link enables you to access Azure PaaS services (such as SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your VNet.

  • Azure Private Link keeps all traffic on the Microsoft global network. There's no public internet access.
  • Private Link is global and there are no regional restrictions. You can connect privately to services running in other Azure regions.
  • Private Link can privately deliver your own services in your customer's VNets.
  • Services delivered on Azure can be brought into your private VNet by mapping your network to a private endpoint.

VNet Peering

Virtual network peering enables you to seamlessly connect two or more Virtual Networks in Azure. The virtual networks appear as one for connectivity purposes.

Network traffic between peered virtual networks is private. No public Internet, gateways or encryption is required in the communication between the virtual networks.
Gateway transit allows peered virtual networks to share the gateway and get access to resources.

Azure supports the following types of peering:

  • Virtual network peering : Connecting virtual networks within the same Azure region.
  • Global virtual network peering : Connecting virtual networks across Azure regions.

Peering supports cross-subscription connectivity, doesn't support transitive routing(Service Chaining can help).

Your peering isn't successfully established until both virtual networks in the peering have a status of Connected.

VNet Security

You can filter network traffic between subnets using either or both of the following options : Network Security Groups (NSGs) and Network virtual appliances.

Security

Network & Application Security Groups can contain multiple inbound and outbound security rules that enable you to filter traffic to and from resources by source and destination IP address, port and protocol.

  • NSG can be associated to a subnet or a NIC. Subnet assignments are similar to all NICs.
  • NSG can be associated multiple times.
  • All NSGs include a default rule DENY, one rule for each inbound and outbound traffic.
  • When an NSG is created, Azure creates the default security rule DenyAllInbound and AllowInternetOutbound for the group.
    • The default behavior is to deny all inbound traffic from the internet and allow all outbound traffic to the internet.

Application security groups

Application security groups (ASGs) work in the same way as network security groups, but they provide an application-centric way of looking at your infrastructure.

You join the VM to an ASG, then you use the ASG as a source or destination in the network security group rules.
Network interfaces assigned to an ASG must be in the same VNet as initial network interface assigned to the ASG.

A network virtual appliance is a VM that performs a network function such as a firewall, WAN optimization or other network function.

Azure Firewall is a managed, cloud-based network security service that protects your Azure VNet resources.
It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

When you deploy a firewall, the recommended approach is to implement a hub-spoke network topology.
The hub is a VNet in Azure that acts as a central point of connectivity to your on-premises network.
Spokes are virtual networks that peer with the hub, and can be used to isolate workloads.

By default, Azure Firewall denies all traffic through your virtual network.
To allow traffic for a particular resource or service, you need to define rules to control the specific traffic.
There are three kinds of rules you can configure for Azure Firewall : NAT, network and application.

  • Network Rule : Only non-HTTP/S traffic, Protocol TCP, UDP, ICMP...
  • Application Rule : Define fully qualified domain names (FQDNs) that can be accessed from a subnet. Protocol HTTP/S.
  • NAT Rule : To configure NAT or Azure Firewall destination network address translation (DNAT) rules to translate and filter inbound traffic to your subnets.
    • Helpful for publishing SSH, RDP or non-HTTP/S applications to the internet. Protocol TCP/UDP.

Hybrid Connectivity

Azure virtual networks enable you to link resources together in your on-premises environment and within your Azure subscription.

  • Point-to-site VPN : The typical approach to a virtual private network (VPN) connection is from a computer outside your organization, back into your corporate network. In this case, the client computer initiates an encrypted VPN connection to connect that computer to the Azure virtual network.

  • Site-to-site VPN : A site-to-site VPN links your on-premises VPN device or gateway to the Azure VPN gateway in a virtual network. In effect, the devices in Azure can appear as being on the local network. The connection is encrypted and works over the internet.

  • Azure ExpressRoute : For environments where you need greater bandwidth and even higher levels of security, Azure ExpressRoute is the best approach. ExpressRoute provides a dedicated private connectivity to Azure that doesn't travel over the internet. (You'll learn more about ExpressRoute in a separate unit later in this module.)

Azure VPN Gateway

Azure VPN Gateway is a type of virtual network gateway that sends encrypted traffic between an Azure VNet and an on-premises location.
VPN Gateway instances are deployed in a dedicated subnet of the virtual network and enable the following connectivity :

  • Connect on-premises datacenters to virtual networks through a site-to-site connection.
  • Connect individual devices to virtual networks through a point-to-site connection.
  • Connect virtual networks to other virtual networks through a network-to-network connection.

The most significant implementation decision for your VPN gateway performance is selecting the appropriate SKU for your configuration.

If you configure a peering between the VNet that hosts your VPN gateway and another VNet, you must download and reinstall the VPN client to ensure that the new routes are downloaded to the client.

VPN Gateway Types

When you deploy a VPN gateway, you specify the VPN type either policy-based or route-based.
The main difference between these two types of VPNs is how traffic to be encrypted is specified.

If defining which IP addresses are behind each tunnel is too cumbersome, route-based gateways can be used.

With route-based gateways, IPSec tunnels are modeled as a network interface or virtual tunnel interface.
IP routing decides which one of these tunnel interfaces to use when sending each packet.

Use a route-based VPN gateway if you need any of the following types of connectivity :

  • Connections between virtual networks.
  • Point-to-site connections.
  • Multisite connections.
  • Coexistence with an Azure ExpressRoute gateway.

Key features of route-based VPN gateways in Azure include :

  • Supports IKEv2.
  • Uses any-to-any (wildcard) traffic selectors.
  • Can use dynamic routing protocols.

Policy-based VPN gateways specify statically the IP address of packets that should be encrypted through each tunnel.
This type of device evaluates every data packet against those sets of IP addresses to choose the tunnel where that packet is going to be sent through.

Key features of policy-based VPN gateways in Azure include :

  • Support for IKEv1 (IKE : Internet Key Exchange) only.
  • Use of static routing, where combinations of address prefixes from both networks control how traffic is encrypted and decrypted through the VPN tunnel.
    • The source and destination of the tunneled networks are declared in the policy and don't need to be declared in routing tables.
  • Policy-based VPNs must be used in specific scenarios that require them such as for compatibility with legacy on-premises VPN devices.

Some limitations about policy-based VPNs :

  • A policy-based VPN can be used on the Basic gateway SKU only. The policy-based VPN type isn't compatible with other gateway SKUs.
  • When you use a policy-based VPN, you can have only one VPN tunnel.
  • You can only use policy-based VPNs for S2S connections, and only for certain configuration.

Configure On-premises VPN Device

A validated list of standard VPN devices that work well with the VPN gateway.

To configure your VPN device, you need the following information :

  • A shared key : This key is the same shared key that you specify when you create the VPN connection.
  • The public IP address of your VPN gateway.
  • Configuration scripts are available for some devices.

VNet Peering vs VPN

VNet Peering VPN
Designed for VNet-to-VNet connectivity. Designed for hybrid connectivity (site-to-site, point-to-side).
Supports cross-subscription, cross-region, cross-Azure AD tenant. Supports cross-subscription, cross-region.
Leverages Microsoft Backbone for private IP address connectivity. Require public IP for VPN termination point.
Used for private, low-latency, limitless bandwitch connectivy. Use where encryption and/or transitive routing is needed.

Azure ExpressRoute

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider. With ExpressRoute, you can establish connections to Microsoft cloud services such as Azure and Microsoft 365. It supports up to 10Gbps (100Gbps with ExpressRoute Direct).

Connectivity can be from an any-to-any (IP VPN) network, a point-to-point Ethernet network or a virtual cross-connection through a connectivity provider at a colocation facility. ExpressRoute connections don't go over the public Internet.

ExpressRoute connectivity models

ExpressRoute supports the following models that you can use to connect your on-premises network to the Microsoft cloud :

  • CloudExchange colocation.
  • Point-to-point Ethernet connection.
  • Any-to-any connection.
  • Directly from ExpressRoute sites.

ExpressRoute with VPN failover

Combine Azure ExpressRoute and Azure VPN Gateway to create a failover to a VPN connection if there's a loss of connectivity in the ExpressRoute circuit.

Virtual WAN

Azure Virtual WAN helps to automate and optimize connectivity using the hub-and-spoke network architecure.
It is a networking service that brings many networking, security and routing functionalities together to provide a single operational interface. Some of the main features include:

  • Branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE).
  • Site-to-site VPN connectivity.
  • Remote user VPN connectivity (point-to-site).
  • Private connectivity (ExpressRoute).
  • Intra-cloud connectivity (transitive connectivity for virtual networks).
  • VPN ExpressRoute inter-connectivity.
  • Routing, Azure Firewall and encryption for private connectivity.

Azure Hub-Spoke

A hub-spoke network topology is a way to isolate workloads while sharing services such as identity and security.

  • The hub is a virtual network in Azure that acts as a central point of connectivity to your on-premises network.
  • Spokes are virtual networks that peer with the hub. Shared services are deployed in the hub while individual workloads are deployed as spokes.

Traffic flows between the on-premises data center(s) and the hub through an ExpressRoute or VPN gateway connection.

Design HA Connectivity

Azure offers several networking services to help deliver applications such as Azure Content Delivery Network, Front Door, Traffic Manager, Load Balancer and Application Gateway.

Azure Load Balancer

Azure Load Balancer provides high-performance, low-latency Layer 4 load-balancing for all UDP and TCP protocols.
It provides the ability to utilize health probes that will automatically remove faulting instances.

  • Azure Load Balancer (LB) can be used for inbound and outbound scenarios.
  • You can implement a public or internal LB or use both types in a combination configuration.

  • ALB supports three SKU options: Basic, Standard and Gateway.

    • Basic Azure LB supports deployment in a single availability zone. Standard LB is zone-redundant.
    • Basic Azure LB supports only Basic SKU public IP and only one AZ.

  • Load Balancer scales up to millions of TCP and UDP application flows.

  • To implement a load balancer, you configure four components :
    • Front-end IP configuration : The public IP or internal IP that your LB responds to.
    • Back-end pools : The Backend services which will receive the traffic.
    • Health probes : Ensure the resources in the backend are healthy.
    • Load-balancing rules : Determine how traffic is distributed to back-end resources.

The ALB uses a five-tuple (source IP, source port, destination IP, destination port, and protocol type) hash to map/distribute traffic to available servers.

Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Application Gateway is an Application Delivery Controller(ADC) as a service, offering various layer 7 load-balancing capabilities for your applications.

  • Load balance L7 traffic in a single region.

    • The back-end pool can include Azure VMs, VM Scale Sets, App Service and even on-premises servers.

  • Supported protocols : HTTP(S), HTTP/2 or WebSocket protocols.

  • Firewall protection : Implement a WAF to protect against web application vulnerabilities.

  • Session stickiness : Use session stickiness to ensure client requests in the same session are routed to the same back-end server.

  • Encryption : Supports end-to-end request encryption

  • Supports two primary methods of routing traffic : path-based routing and multiple-site routing
    • Path-based routing : Send requests with different URL paths to a different pool of back-end servers.
    • Multiple-site routing : Configures more than one web application on the same application gateway instance.
  • Supports HTTP headers rewrite, traffic redirection.

Application Gateway components :

  • Front-end IP address : Receives the client requests.
    • An optional firewall checks incoming traffic for common threats before the requests reach the listeners.
  • Listeners (one or more) : Receive the traffic and route the requests to the back-end pool.
  • Routing rules : Determine how traffic is distributed to back-end resources. back-end pool.
  • Back-end pool : Contains web servers for resources like VMs or Virtual Machine Scale Sets.

By default, an application gateway monitors the health of all resources in its backend pool and automatically removes unhealthy ones.
It then monitors unhealthy instances and adds them back to the healthy backend pool when they become available and respond to health probes.
In addition to using default health probe monitoring, you can also customize the health probe to suit your application's requirements.

Traffic Manager

Azure Traffic Manager a DNS-based traffic load balancer. This service allows you to distribute traffic to your public facing applications across the global Azure regions, while providing HA and responsiveness.

Traffic Manager provides a range of traffic-routing methods to distribute traffic such as priority, weighted, performance, geographic, multi-value and subnet.
It load balances only at the domain level, it can't fail over as quickly as Front Door, because of common challenges around DNS caching and systems not honoring DNS TTLs.

Business scenarios

  • Increase application availability.
  • Improve application performance.
  • Combine hybrid applications.
  • Distribute traffic for complex deployments.

Front Door

Azure Front Door lets you define, manage and monitor the global routing for your web traffic by optimizing for best performance and instant global failover for HA.

It is an application delivery network that provides global load balancing and site acceleration service for web applications.
It offers Layer 7 capabilities for your application like SSL offload, path-based routing, fast failover, caching to improve performance and high-availability of your applications.

Business scenarios

  • Low latency : Ensure requests are sent to the lowest latency backends.
  • Affinity : Ensure requests from the same end user are sent to the same backend.
  • Support WAF and CDN integration for HTTP(S) traffic.

Front Door VS Traffic Manager

Front Door Traffic Manager
Supports HTTP(S). Supports several protocols.
Accelerates web traffic through the Microsoft's edge network. Routes traffic by responding to DNS queries based on routing method.
Traffic is proxied at the edge. Traffic is routed directly.
Routing : latency, priority, weighted and session affinity. Routing : performance, priority, weighted, geo and multi-value.
Adds layer 7 features, rate-limiting and IP-based ACLs. Simply routes to healthy endpoints.

Azure CDN

Azure Content Delivery Network offers a global solution for rapidly delivering high-bandwidth content to users.
Content Delivery Network lets you cache your content at strategically placed physical nodes across the world.

Business scenarios

  • Implement point-of-presence locations that are close to large clusters of users.
  • Reduce latency, both the transmission delay and the number of router hops.
  • Support Microsoft, Akamai and Verizon content delivery networks.
  • Use custom domains, file compression, caching and geo-filtering.