Azure Networking
Virtual Network
A Virtual Network (VNet) in Azure is a logically isolated network that securely connects Azure resources and extends on-premises networks. Key features include:
- Isolation: VNets provide isolation at the network level for segmenting resources and controlling traffic.
- Subnetting: Divide a VNet into subnets for resource organization and traffic control.
- Address Space: VNets have an address space defined using CIDR notation, determining the IP address range.
Subnets, CIDR
Subnets are subdivisions of a Virtual Network, allowing for better organization and traffic management.
CIDR (Classless Inter-Domain Routing)
CIDR notation represents IP addresses and their routing prefix, specifying the range of IP addresses for a network.
Routes and Route Tables
Routes
Routes dictate how network traffic is directed, specifying the destination and next hop.
Route Tables
Route Tables are collections of routes associated with subnets, enabling custom routing rules.
Network Security Groups (NSGs)
NSGs are fundamental for Azure’s network security, allowing filtering of inbound and outbound traffic. Key aspects include:
- Rules: NSGs define allowed or denied traffic based on source, destination, port, and protocol.
- Default Rules: NSGs have default rules for controlling traffic within the Virtual Network and between subnets.
- Association: NSGs can be associated with subnets or individual network interfaces.
Application Security Groups (ASGs)
ASGs group Azure virtual machines based on application requirements, simplifying network security:
- Simplification: ASGs allow defining rules based on application roles instead of individual IP addresses.
- Dynamic Membership: ASGs support dynamic membership based on tags or other attributes.
- Rule Association: Security rules can be associated with ASGs for intuitive and scalable network security management.
Azure Networking Advanced
Azure App Gateway & WAF
Azure Application Gateway is a web traffic load balancer that enables you to manage and route traffic to your web applications. Web Application Firewall (WAF) provides protection against web vulnerabilities. Key features include:
- Load Balancing: Distributes incoming traffic across multiple servers to ensure no single server is overwhelmed.
- SSL Termination: Offloads SSL processing, improving the efficiency of web servers.
- Web Application Firewall (WAF): Protects web applications from common web vulnerabilities and exploits.
Azure Load Balancer
Azure Load Balancer distributes incoming network traffic across multiple servers to ensure no single server is overwhelmed. Key features include:
- Load Balancing Algorithms: Supports different algorithms for distributing traffic, such as round-robin and least connections.
- Availability Sets: Works seamlessly with availability sets to ensure high availability.
- Inbound and Outbound Traffic: Balances both inbound and outbound traffic.
Azure DNS
Azure DNS is a scalable and secure domain hosting service. It provides name resolution using the Microsoft Azure infrastructure. Key features include:
- Domain Hosting: Hosts domain names and provides name resolution within Azure.
- Integration with Azure Services: Easily integrates with other Azure services like App Service and Traffic Manager.
- Global Availability: Provides low-latency responses globally.
Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. Key features include:
- Stateful Firewall: Allows or denies traffic based on rules and supports stateful inspection.
- Application FQDN Filtering: Filters traffic based on fully qualified domain names.
- Threat Intelligence Integration: Integrates with threat intelligence feeds for enhanced security.
Virtual Network Peering and VNet Gateway
Virtual Network Peering
Virtual Network Peering allows connecting Azure Virtual Networks directly, enabling resources in one VNet to communicate with resources in another. Key features include:
- Global VNet Peering: Peering can be established across regions.
- Transitive Routing: Traffic between peered VNets flows directly, improving performance.
VNet Gateway
VNet Gateway enables secure communication between on-premises networks and Azure Virtual Networks. Key features include:
- Site-to-Site VPN: Connects on-premises networks to Azure over an encrypted VPN tunnel.
- Point-to-Site VPN: Enables secure remote access to Azure resources.
VPN Gateway
Azure VPN Gateway provides secure, site-to-site connectivity between your on-premises network and Azure. Key features include:
- IPsec/IKE VPN Protocols: Ensures secure communication over the Internet.
- High Availability: Supports active-active and active-passive configurations for high availability.
- BGP Support: Allows dynamic routing between your on-premises network and Azure.
Explanation with Examples
Scenario
You have a web application hosted on Azure that interacts with a database. Additionally, you need to connect an on-premises network to your Azure network securely.
1. Azure Virtual Network (VNet)
A Virtual Network (VNet) in Azure is a logically isolated network that securely connects Azure resources and extends on-premises networks.
Steps to Create a VNet
- Navigate to Azure Portal:
- Go to the Azure Portal: portal.azure.com.
- Create a VNet:
- Go to “Create a resource” > “Networking” > “Virtual Network”.
- Click “Create”.
- Basics:
- Name:
MyVNet
- Address space:
10.0.0.0/16
(This defines the overall IP address range for the VNet) - Subscription: Select your subscription.
- Resource group: Create new or select existing (e.g.,
MyResourceGroup
). - Location: Select a region (e.g.,
East US
).
- Name:
- Subnets:
- Subnet1:
- Name:
WebSubnet
- Address range:
10.0.1.0/24
- Name:
- Subnet2:
- Name:
DbSubnet
- Address range:
10.0.2.0/24
- Name:
- Subnet1:
- Click “Review + create” and then “Create”.
Result: You now have a VNet named MyVNet
with two subnets (WebSubnet
and DbSubnet
).
2. Network Security Groups (NSGs)
NSGs contain security rules that allow or deny inbound and outbound traffic to network interfaces, VMs, and subnets.
Steps to Create and Associate an NSG
- Create an NSG:
- Go to “Create a resource” > “Networking” > “Network Security Group”.
- Click “Create”.
- Basics:
- Name:
WebNSG
- Resource group: Select
MyResourceGroup
. - Location:
East US
.
- Name:
- Click “Review + create” and then “Create”.
- Define Security Rules:
- Go to the newly created NSG (
WebNSG
). - Add inbound rules:
- Rule 1:
- Name:
Allow-HTTP
- Priority:
100
- Source:
Any
- Source port ranges:
*
- Destination:
Any
- Destination port ranges:
80
- Protocol:
TCP
- Action:
Allow
- Name:
- Rule 2:
- Name:
Allow-SSH
- Priority:
200
- Source:
Any
- Source port ranges:
*
- Destination:
Any
- Destination port ranges:
22
- Protocol:
TCP
- Action:
Allow
- Name:
- Rule 1:
- Go to the newly created NSG (
- Associate NSG with Subnet or Network Interface:
- Go to the VNet, select the
WebSubnet
, and associate the NSG (WebNSG
).
- Go to the VNet, select the
Result: Traffic to and from WebSubnet
is now filtered based on the rules in WebNSG
.
3. Azure Load Balancer
Azure Load Balancer distributes incoming network traffic across multiple VMs to ensure high availability.
Steps to Create a Load Balancer
- Create a Load Balancer:
- Go to “Create a resource” > “Networking” > “Load Balancer”.
- Click “Create”.
- Basics:
- Name:
MyLoadBalancer
- Type:
Public
- SKU:
Standard
- Region:
East US
- Resource group: Select
MyResourceGroup
.
- Name:
- Click “Review + create” and then “Create”.
- Create a Backend Pool:
- In the Load Balancer settings, add VMs (
WebVM1
,WebVM2
) to the backend pool.
- In the Load Balancer settings, add VMs (
- Create a Health Probe:
- Define a health probe (e.g., HTTP probe on port 80) to monitor the status of VMs.
- Create Load Balancing Rules:
- Define rules to distribute traffic:
- Name:
HttpTraffic
- Frontend IP: Public IP
- Protocol: TCP
- Port: 80
- Backend port: 80
- Backend Pool: Select the backend pool created earlier
- Health Probe: Select the health probe created earlier
- Name:
- Define rules to distribute traffic:
Result: Incoming HTTP traffic is balanced across WebVM1
and WebVM2
.
4. Azure Application Gateway
Azure Application Gateway provides application-level routing and load balancing services.
Steps to Create an Application Gateway
- Create an Application Gateway:
- Go to “Create a resource” > “Networking” > “Application Gateway”.
- Click “Create”.
- Basics:
- Name:
MyAppGateway
- SKU:
Standard_V2
- Instance count:
2
- Resource group: Select
MyResourceGroup
. - VNet: Select
MyVNet
- Subnet: Create a new subnet (e.g.,
AppGatewaySubnet
with10.0.3.0/24
).
- Name:
- Frontend IP configuration:
- Select
Public
and create a new public IP address.
- Select
- Backend pool:
- Add backend targets (e.g.,
WebVM1
,WebVM2
).
- Add backend targets (e.g.,
- HTTP settings:
- Configure settings such as port and protocol for backend communication.
- Routing rules:
- Create rules to define how requests are routed based on URL paths.
- Click “Review + create” and then “Create”.
Result: Application traffic is routed and balanced based on the specified rules and URL paths.
5. Azure VPN Gateway
A VPN Gateway provides secure connectivity between on-premises networks and Azure VNets.
Steps to Create a VPN Gateway
- Create a VPN Gateway:
- Go to “Create a resource” > “Networking” > “Virtual Network Gateway”.
- Click “Create”.
- Basics:
- Name:
MyVPNGateway
- Gateway type:
VPN
- VPN type:
Route-based
- SKU:
VpnGw1
- Virtual network: Select
MyVNet
- Public IP address: Create a new public IP address.
- Resource group: Select
MyResourceGroup
.
- Name:
- Click “Review + create” and then “Create”.
- Configure the Local Network Gateway:
- Specify the on-premises network details (e.g., address space).
- Create the VPN Connection:
- Go to the newly created VPN Gateway and configure a connection to the Local Network Gateway using shared keys.
Result: Secure communication between the on-premises network and MyVNet
.
Summary
By setting up a VNet with subnets, associating NSGs for traffic control, using Load Balancers and Application Gateways for efficient traffic management, implementing Azure DNS for domain resolution, and configuring VPN Gateways for secure connectivity, you can create a robust and secure Azure network environment. This setup ensures seamless interaction between web applications, databases, and on-premises resources.
Example Workflow
- Create
MyVNet
with address space10.0.0.0/16
and two subnets:WebSubnet
(10.0.1.0/24
) andDbSubnet
(10.0.2.0/24
). - Create
WebNSG
to allow HTTP and SSH traffic and associate it withWebSubnet
. - Deploy VMs (
WebVM1
,WebVM2
) inWebSubnet
andDbVM
inDbSubnet
. - Create a Load Balancer (
MyLoadBalancer
) to distribute traffic toWebVM1
andWebVM2
. - Create an Application Gateway (
MyAppGateway
) for URL-based routing and SSL termination. - Create a VPN Gateway (
MyVPNGateway
) and establish a secure connection to the on-premises network.
This detailed setup ensures your application and database are securely managed, with efficient traffic distribution and secure connectivity to on-premises resources.
On-Premises Network
+-------------------+
| On-Prem VM |
+--------+----------+
|
| Site-to-Site VPN
v
+--------+---------+
| VPN Gateway |
| (MyVPNGateway) |
+--------+---------+
|
v
+-------------------------------------------------+
| Azure VNet |
| (MyVNet) |
| Address Space: 10.0.0.0/16 |
| |
| +------------------+ +------------------+ |
| | Web Subnet | | DB Subnet | |
| | (10.0.1.0/24) | | (10.0.2.0/24) | |
| | | | | |
| | +--------------+ | | +--------------+ | |
| | | WebNSG | | | | DBNSG | | |
| | +------+-------+ | | +------+-------+ | |
| | | | | | | |
| | | | | | | |
| | v | | v | |
| | +------+--------+| | +------+--------+| |
| | | Load Balancer | | | Database VM | |
| | | (MyLoadBalancer) | | (DbVM) | |
| | +--------+-------+ | +--------+-------+ |
| | | | |
| | v | |
| | +--------+--------+ | |
| | | App Gateway | | |
| | | (MyAppGateway) | | |
| | +--------+--------+ | |
| | | | |
| | v | |
| | +--------+--------+ +--------+ +--------+ |
| | | Web VM 1 | | Web VM 2| |Web VM 3| |
| | | (10.0.1.4) | | (10.0.1.5)| (10.0.1.6)| |
| | +--------+--------+ +--------+ +--------+ |
| +--------------------+ +--|
| |
+-------------------------------------------------+
Virtual Network (VNet) Peering, VNet Gateway, and VPN Gateway in Azure
1. VNet Peering
VNet Peering allows you to connect two Azure Virtual Networks (VNets) so that resources in one VNet can communicate with resources in another VNet. This is useful for creating a network topology that spans multiple VNets while maintaining low latency and high bandwidth between them.
Key Features:
- Low Latency and High Bandwidth: VNet peering provides a direct connection between VNets, resulting in low latency and high throughput.
- Resource Access: Resources in peered VNets can communicate as if they are part of the same network.
- No Overlapping IPs: The IP address spaces of the VNets must not overlap.
Example Use Cases:
- Connecting VNets in different regions for disaster recovery.
- Isolating different tiers of an application across multiple VNets (e.g., web, application, and database tiers).
Diagram:
+------------+ +------------+
| VNet A | Peering | VNet B |
| 10.0.0.0/16|<-------->| 10.1.0.0/16|
+------------+ +------------+
| |
+--------+ +--------+
| VM A | | VM B |
+--------+ +--------+
2. VNet Gateway
A VNet Gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. It can also be used to send encrypted traffic between Azure virtual networks.
Key Features:
- Supports VPN: The VNet Gateway is used to establish a site-to-site VPN connection.
- Supports ExpressRoute: It can also be used with ExpressRoute to create a private connection to Azure.
Example Use Cases:
- Connecting an on-premises network to Azure via a site-to-site VPN.
- Connecting multiple VNets through a hub-and-spoke network topology.
Diagram:
+------------+ +-------------------+ +------------+
| On-Premises|------| VNet Gateway |------| Azure |
| Network | VPN | (Site-to-Site) | VNet | Network |
+------------+ +-------------------+ +------------+
3. VPN Gateway
A VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. It uses the IPsec and IKE protocols to provide secure communication.
Key Features:
- Site-to-Site VPN: Connects an on-premises network to Azure.
- Point-to-Site VPN: Allows individual clients to connect to the Azure network.
- Secure Communication: Uses industry-standard protocols for encryption and secure communication.
Example Use Cases:
- Establishing secure connectivity between an on-premises data center and Azure.
- Allowing remote users to securely connect to the Azure network from anywhere.
Diagram:
+------------+ +-------------------+ +------------+
| On-Premises| Site-to- | VPN Gateway | Site-to- | Azure |
| Network | Site | (VNet Gateway) | Site | Network |
+------------+<-------->| |--------->| (VNet) |
+-------------------+ +------------+
| Point-to-Site VPN |
+-------------------+
Comparison
Feature | VNet Peering | VNet Gateway | VPN Gateway |
---|---|---|---|
Purpose | Connect VNets within Azure | Connect Azure VNet to on-premises or other VNets | Connect Azure VNet to on-premises |
Latency | Low latency | Depends on network connection | Depends on network connection |
Bandwidth | High bandwidth | Depends on gateway SKU | Depends on gateway SKU |
Encryption | No | Yes | Yes |
Traffic Flow | Direct (private IP addresses) | Encrypted over public internet or private connection (ExpressRoute) | Encrypted over public internet |
Use Case | Intra-Azure VNet communication | Hybrid cloud scenarios, multi-VNet setups | Hybrid cloud scenarios, remote user access |
Summary Diagram
+-------------------------+
| On-Premises |
| Network |
+-------------------------+
|VPN
|
+---------v-----------+ +------------------------+
| VPN Gateway | Site-to-Site VPN | VNet Gateway |
| (On-Prem to Azure) |<------------------>| (On-Prem/VNet to Azure)|
+---------------------+ +------------------------+
| VPN/ER |
| |
+---------v-----------+ VNet Peering +--v---------------------+
| VNet A |<--------------------->| VNet B |
| 10.0.0.0/16 | | 10.1.0.0/16 |
+---------------------+ +------------------------+
| | | |
+-----+ +--+--+ +--+--+ +--+--+
| VM A| | VM B| | VM C| | VM D|
+-----+ +-----+ +-----+ +-----+
Conclusion
- VNet Peering: Best for low latency, high bandwidth communication between VNets within Azure.
- VNet Gateway: Suitable for connecting Azure VNets to on-premises networks or other VNets using encrypted connections.
- VPN Gateway: Ideal for secure, encrypted communication between on-premises networks and Azure, as well as for remote user access.
CIDR (Classless Inter-Domain Routing)
Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. Introduced in 1993, CIDR replaced the previous system based on classful addressing. CIDR allows for more efficient and flexible allocation of IP addresses than the older system.
Key Concepts of CIDR
- IP Address: A numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
- Prefix Length: Indicates the number of significant bits in the network portion of the address, written after a slash (/) following the IP address.
How CIDR Works
CIDR notation is written as an IP address followed by a slash and a number. The number represents the prefix length, which tells how many bits are used for the network portion of the address.
Example of CIDR Notation
192.168.1.0/24
- IP Address:
192.168.1.0
- Prefix Length:
/24
- IP Address:
Steps to Understand CIDR Notation
- Understand IP Address Structure:
- An IP address consists of 32 bits, divided into four octets (8 bits each).
- Example:
192.168.1.0
in binary is11000000.10101000.00000001.00000000
.
- Identify Network and Host Portions:
- The prefix length (e.g.,
/24
) indicates the number of bits used for the network portion. - For
192.168.1.0/24
, the first 24 bits are the network portion, and the remaining 8 bits are for hosts.
- The prefix length (e.g.,
- Calculate the Subnet Mask:
- The subnet mask is a 32-bit number where the network portion is represented by 1s and the host portion by 0s.
- For
/24
, the subnet mask is255.255.255.0
(in binary:11111111.11111111.11111111.00000000
).
- Determine the Network Address:
- The network address is the first address in the range and is calculated by setting all the host bits to 0.
- For
192.168.1.0/24
, the network address is192.168.1.0
.
- Calculate the Range of IP Addresses:
- The number of available IP addresses is determined by the number of host bits.
- For
/24
, there are 8 host bits, so the range is2^8 = 256
addresses. - The usable IP range is from
192.168.1.1
to192.168.1.254
(excluding the network address192.168.1.0
and the broadcast address192.168.1.255
).
Examples of Different CIDR Notations
Example 1: 192.168.1.0/24
- Binary Representation:
- IP Address:
192.168.1.0
->11000000.10101000.00000001.00000000
- Subnet Mask:
/24
->11111111.11111111.11111111.00000000
- IP Address:
- Network Address:
192.168.1.0
- Usable IP Range:
192.168.1.1
to192.168.1.254
- Broadcast Address:
192.168.1.255
Example 2: 10.0.0.0/8
- Binary Representation:
- IP Address:
10.0.0.0
->00001010.00000000.00000000.00000000
- Subnet Mask:
/8
->11111111.00000000.00000000.00000000
- IP Address:
- Network Address:
10.0.0.0
- Usable IP Range:
10.0.0.1
to10.255.255.254
- Broadcast Address:
10.255.255.255
Advantages of CIDR
- Efficient IP Address Allocation: CIDR allows for more flexible allocation of IP addresses than the old classful system.
- Reduced Number of Routing Table Entries: Aggregates multiple IP addresses into a single entry, reducing the size of routing tables.
- Prevents IP Address Exhaustion: Helps in conserving the IPv4 address space by allowing variable-length subnet masking.
Summary Diagram
Below is a simplified representation of how CIDR notation works with 192.168.1.0/24
:
IP Address: 192.168.1.0
11000000.10101000.00000001.00000000
Subnet Mask: 255.255.255.0 (/24)
11111111.11111111.11111111.00000000
Network Portion:| Network | | Host |
192.168.1.0 to 192.168.1.255
| Usable IP Range: 192.168.1.1 to 192.168.1.254 |
Detailed Example Step-by-Step
- Understanding the IP Address:
- IP:
192.168.1.0
- Binary:
11000000.10101000.00000001.00000000
- IP:
- Identifying Network and Host Portions:
- Prefix Length:
/24
(24 bits for network, 8 bits for hosts) - Subnet Mask:
255.255.255.0
(Binary:11111111.11111111.11111111.00000000
)
- Prefix Length:
- Calculating Network Address:
- Network Address:
192.168.1.0
(Host bits set to 0)
- Network Address:
- Determining Usable IP Range:
- Usable Range:
192.168.1.1
to192.168.1.254
- Usable Range:
- Broadcast Address:
- Broadcast Address:
192.168.1.255
(Host bits set to 1)
- Broadcast Address:
Azure Networking Simplified
Virtual Network (VNet):
- A VNet in Azure is a private network that securely connects Azure resources and can extend to on-premises networks.
- Key Features:
- Isolation: Segregates resources and controls traffic.
- Subnetting: Divides the VNet into subnets for organization and traffic management.
- Address Space: Defined using CIDR notation to specify IP address ranges.
Subnets and CIDR:
- Subnets: Subdivisions of a VNet for better organization and traffic control.
- CIDR (Classless Inter-Domain Routing): Represents IP addresses and their routing prefix, defining the IP range.
Routes and Route Tables:
- Routes: Dictate how network traffic is directed.
- Route Tables: Collections of routes linked to subnets, allowing custom routing.
Network Security Groups (NSGs):
- NSGs filter inbound and outbound traffic.
- Key Aspects:
- Rules: Define allowed/denied traffic based on source, destination, port, and protocol.
- Default Rules: Predefined rules for controlling traffic within the VNet.
- Association: Can be linked to subnets or individual network interfaces.
Application Security Groups (ASGs):
- Group VMs by application requirements to simplify network security.
- Key Aspects:
- Simplification: Define rules based on application roles.
- Dynamic Membership: Supports tags and attributes.
- Rule Association: Security rules can be applied to ASGs.
Azure Application Gateway & WAF:
- Application Gateway: Manages and routes web traffic with load balancing and SSL termination.
- Web Application Firewall (WAF): Protects against web vulnerabilities.
Azure Load Balancer:
- Distributes network traffic across multiple servers for high availability.
- Key Features:
- Load Balancing Algorithms: Uses round-robin, least connections, etc.
- Availability Sets: Ensures high availability.
- Inbound and Outbound Traffic: Balances both types of traffic.
Azure DNS:
- Hosts domain names and provides name resolution within Azure.
- Key Features:
- Domain Hosting: Scalable and secure.
- Integration: Works with Azure services.
- Global Availability: Offers low-latency responses worldwide.
Azure Firewall:
- A managed network security service protecting Azure VNet resources.
- Key Features:
- Stateful Firewall: Supports stateful inspection.
- Application FQDN Filtering: Filters traffic by domain names.
- Threat Intelligence Integration: Uses threat intelligence feeds.
Virtual Network Peering and VNet Gateway:
- Virtual Network Peering: Connects VNets for direct communication.
- Key Features: Global peering and transitive routing.
- VNet Gateway: Secure communication between on-premises networks and Azure VNets.
- Key Features: Site-to-Site VPN and Point-to-Site VPN.
VPN Gateway:
- Provides secure connectivity between on-premises networks and Azure.
- Key Features:
- IPsec/IKE VPN Protocols: Secure communication.
- High Availability: Supports active-active and active-passive configurations.
- BGP Support: Enables dynamic routing.