Azure Fundamental – Azure Networking (Part-6)

Posted by

Azure Networking

Virtual Network

A Virtual Network (VNet) in Azure is a logically isolated network that securely connects Azure resources and extends on-premises networks. Key features include:

  • Isolation: VNets provide isolation at the network level for segmenting resources and controlling traffic.
  • Subnetting: Divide a VNet into subnets for resource organization and traffic control.
  • Address Space: VNets have an address space defined using CIDR notation, determining the IP address range.

Subnets, CIDR

Subnets

Subnets are subdivisions of a Virtual Network, allowing for better organization and traffic management.

CIDR (Classless Inter-Domain Routing)

CIDR notation represents IP addresses and their routing prefix, specifying the range of IP addresses for a network.

Routes and Route Tables

Routes

Routes dictate how network traffic is directed, specifying the destination and next hop.

Route Tables

Route Tables are collections of routes associated with subnets, enabling custom routing rules.

Network Security Groups (NSGs)

NSGs are fundamental for Azure’s network security, allowing filtering of inbound and outbound traffic. Key aspects include:

  • Rules: NSGs define allowed or denied traffic based on source, destination, port, and protocol.
  • Default Rules: NSGs have default rules for controlling traffic within the Virtual Network and between subnets.
  • Association: NSGs can be associated with subnets or individual network interfaces.

Application Security Groups (ASGs)

ASGs group Azure virtual machines based on application requirements, simplifying network security:

  • Simplification: ASGs allow defining rules based on application roles instead of individual IP addresses.
  • Dynamic Membership: ASGs support dynamic membership based on tags or other attributes.
  • Rule Association: Security rules can be associated with ASGs for intuitive and scalable network security management.

Azure Networking Advanced

Azure App Gateway & WAF

Azure Application Gateway is a web traffic load balancer that enables you to manage and route traffic to your web applications. Web Application Firewall (WAF) provides protection against web vulnerabilities. Key features include:

  • Load Balancing: Distributes incoming traffic across multiple servers to ensure no single server is overwhelmed.
  • SSL Termination: Offloads SSL processing, improving the efficiency of web servers.
  • Web Application Firewall (WAF): Protects web applications from common web vulnerabilities and exploits.

Azure Load Balancer

Azure Load Balancer distributes incoming network traffic across multiple servers to ensure no single server is overwhelmed. Key features include:

  • Load Balancing Algorithms: Supports different algorithms for distributing traffic, such as round-robin and least connections.
  • Availability Sets: Works seamlessly with availability sets to ensure high availability.
  • Inbound and Outbound Traffic: Balances both inbound and outbound traffic.

Azure DNS

Azure DNS is a scalable and secure domain hosting service. It provides name resolution using the Microsoft Azure infrastructure. Key features include:

  • Domain Hosting: Hosts domain names and provides name resolution within Azure.
  • Integration with Azure Services: Easily integrates with other Azure services like App Service and Traffic Manager.
  • Global Availability: Provides low-latency responses globally.

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. Key features include:

  • Stateful Firewall: Allows or denies traffic based on rules and supports stateful inspection.
  • Application FQDN Filtering: Filters traffic based on fully qualified domain names.
  • Threat Intelligence Integration: Integrates with threat intelligence feeds for enhanced security.

Virtual Network Peering and VNet Gateway

Virtual Network Peering

Virtual Network Peering allows connecting Azure Virtual Networks directly, enabling resources in one VNet to communicate with resources in another. Key features include:

  • Global VNet Peering: Peering can be established across regions.
  • Transitive Routing: Traffic between peered VNets flows directly, improving performance.

VNet Gateway

VNet Gateway enables secure communication between on-premises networks and Azure Virtual Networks. Key features include:

  • Site-to-Site VPN: Connects on-premises networks to Azure over an encrypted VPN tunnel.
  • Point-to-Site VPN: Enables secure remote access to Azure resources.

VPN Gateway

Azure VPN Gateway provides secure, site-to-site connectivity between your on-premises network and Azure. Key features include:

  • IPsec/IKE VPN Protocols: Ensures secure communication over the Internet.
  • High Availability: Supports active-active and active-passive configurations for high availability.
  • BGP Support: Allows dynamic routing between your on-premises network and Azure.

Explanation with Examples

Scenario

You have a web application hosted on Azure that interacts with a database. Additionally, you need to connect an on-premises network to your Azure network securely.

1. Azure Virtual Network (VNet)

A Virtual Network (VNet) in Azure is a logically isolated network that securely connects Azure resources and extends on-premises networks.

Steps to Create a VNet

  1. Navigate to Azure Portal:
  2. Create a VNet:
    • Go to “Create a resource” > “Networking” > “Virtual Network”.
    • Click “Create”.
    • Basics:
      • Name: MyVNet
      • Address space: 10.0.0.0/16 (This defines the overall IP address range for the VNet)
      • Subscription: Select your subscription.
      • Resource group: Create new or select existing (e.g., MyResourceGroup).
      • Location: Select a region (e.g., East US).
    • Subnets:
      • Subnet1:
        • Name: WebSubnet
        • Address range: 10.0.1.0/24
      • Subnet2:
        • Name: DbSubnet
        • Address range: 10.0.2.0/24
    • Click “Review + create” and then “Create”.

Result: You now have a VNet named MyVNet with two subnets (WebSubnet and DbSubnet).

2. Network Security Groups (NSGs)

NSGs contain security rules that allow or deny inbound and outbound traffic to network interfaces, VMs, and subnets.

Steps to Create and Associate an NSG

  1. Create an NSG:
    • Go to “Create a resource” > “Networking” > “Network Security Group”.
    • Click “Create”.
    • Basics:
      • Name: WebNSG
      • Resource group: Select MyResourceGroup.
      • Location: East US.
    • Click “Review + create” and then “Create”.
  2. Define Security Rules:
    • Go to the newly created NSG (WebNSG).
    • Add inbound rules:
      • Rule 1:
        • Name: Allow-HTTP
        • Priority: 100
        • Source: Any
        • Source port ranges: *
        • Destination: Any
        • Destination port ranges: 80
        • Protocol: TCP
        • Action: Allow
      • Rule 2:
        • Name: Allow-SSH
        • Priority: 200
        • Source: Any
        • Source port ranges: *
        • Destination: Any
        • Destination port ranges: 22
        • Protocol: TCP
        • Action: Allow
  3. Associate NSG with Subnet or Network Interface:
    • Go to the VNet, select the WebSubnet, and associate the NSG (WebNSG).

Result: Traffic to and from WebSubnet is now filtered based on the rules in WebNSG.

3. Azure Load Balancer

Azure Load Balancer distributes incoming network traffic across multiple VMs to ensure high availability.

Steps to Create a Load Balancer

  1. Create a Load Balancer:
    • Go to “Create a resource” > “Networking” > “Load Balancer”.
    • Click “Create”.
    • Basics:
      • Name: MyLoadBalancer
      • Type: Public
      • SKU: Standard
      • Region: East US
      • Resource group: Select MyResourceGroup.
    • Click “Review + create” and then “Create”.
  2. Create a Backend Pool:
    • In the Load Balancer settings, add VMs (WebVM1, WebVM2) to the backend pool.
  3. Create a Health Probe:
    • Define a health probe (e.g., HTTP probe on port 80) to monitor the status of VMs.
  4. Create Load Balancing Rules:
    • Define rules to distribute traffic:
      • Name: HttpTraffic
      • Frontend IP: Public IP
      • Protocol: TCP
      • Port: 80
      • Backend port: 80
      • Backend Pool: Select the backend pool created earlier
      • Health Probe: Select the health probe created earlier

Result: Incoming HTTP traffic is balanced across WebVM1 and WebVM2.

4. Azure Application Gateway

Azure Application Gateway provides application-level routing and load balancing services.

Steps to Create an Application Gateway

  1. Create an Application Gateway:
    • Go to “Create a resource” > “Networking” > “Application Gateway”.
    • Click “Create”.
    • Basics:
      • Name: MyAppGateway
      • SKU: Standard_V2
      • Instance count: 2
      • Resource group: Select MyResourceGroup.
      • VNet: Select MyVNet
      • Subnet: Create a new subnet (e.g., AppGatewaySubnet with 10.0.3.0/24).
    • Frontend IP configuration:
      • Select Public and create a new public IP address.
    • Backend pool:
      • Add backend targets (e.g., WebVM1, WebVM2).
    • HTTP settings:
      • Configure settings such as port and protocol for backend communication.
    • Routing rules:
      • Create rules to define how requests are routed based on URL paths.
    • Click “Review + create” and then “Create”.

Result: Application traffic is routed and balanced based on the specified rules and URL paths.

5. Azure VPN Gateway

A VPN Gateway provides secure connectivity between on-premises networks and Azure VNets.

Steps to Create a VPN Gateway

  1. Create a VPN Gateway:
    • Go to “Create a resource” > “Networking” > “Virtual Network Gateway”.
    • Click “Create”.
    • Basics:
      • Name: MyVPNGateway
      • Gateway type: VPN
      • VPN type: Route-based
      • SKU: VpnGw1
      • Virtual network: Select MyVNet
      • Public IP address: Create a new public IP address.
      • Resource group: Select MyResourceGroup.
    • Click “Review + create” and then “Create”.
  2. Configure the Local Network Gateway:
    • Specify the on-premises network details (e.g., address space).
  3. Create the VPN Connection:
    • Go to the newly created VPN Gateway and configure a connection to the Local Network Gateway using shared keys.

Result: Secure communication between the on-premises network and MyVNet.

Summary

By setting up a VNet with subnets, associating NSGs for traffic control, using Load Balancers and Application Gateways for efficient traffic management, implementing Azure DNS for domain resolution, and configuring VPN Gateways for secure connectivity, you can create a robust and secure Azure network environment. This setup ensures seamless interaction between web applications, databases, and on-premises resources.

Example Workflow

  1. Create MyVNet with address space 10.0.0.0/16 and two subnets: WebSubnet (10.0.1.0/24) and DbSubnet (10.0.2.0/24).
  2. Create WebNSG to allow HTTP and SSH traffic and associate it with WebSubnet.
  3. Deploy VMs (WebVM1, WebVM2) in WebSubnet and DbVM in DbSubnet.
  4. Create a Load Balancer (MyLoadBalancer) to distribute traffic to WebVM1 and WebVM2.
  5. Create an Application Gateway (MyAppGateway) for URL-based routing and SSL termination.
  6. Create a VPN Gateway (MyVPNGateway) and establish a secure connection to the on-premises network.

This detailed setup ensures your application and database are securely managed, with efficient traffic distribution and secure connectivity to on-premises resources.

                       On-Premises Network
                            +-------------------+
                            |  On-Prem VM       |
                            +--------+----------+
                                     |
                                     | Site-to-Site VPN
                                     v
                            +--------+---------+
                            |   VPN Gateway    |
                            | (MyVPNGateway)   |
                            +--------+---------+
                                     |
                                     v
        +-------------------------------------------------+
        |                   Azure VNet                    |
        |                  (MyVNet)                       |
        | Address Space: 10.0.0.0/16                      |
        |                                                 |
        | +------------------+      +------------------+  |
        | |  Web Subnet      |      |  DB Subnet       |  |
        | | (10.0.1.0/24)    |      | (10.0.2.0/24)    |  |
        | |                  |      |                  |  |
        | | +--------------+ |      | +--------------+ |  |
        | | | WebNSG       | |      | | DBNSG        | |  |
        | | +------+-------+ |      | +------+-------+ |  |
        | |        |         |      |        |         |  |
        | |        |         |      |        |         |  |
        | |        v         |      |        v         |  |
        | | +------+--------+|      | +------+--------+|  |
        | | | Load Balancer |       | |  Database VM  |  |
        | | | (MyLoadBalancer)      | |    (DbVM)     |  |
        | | +--------+-------+      | +--------+-------+  |
        | |          |                     |             |
        | |          v                     |             |
        | | +--------+--------+            |             |
        | | | App Gateway     |            |             |
        | | | (MyAppGateway)  |            |             |
        | | +--------+--------+            |             |
        | |          |                     |             |
        | |          v                     |             |
        | | +--------+--------+ +--------+ +--------+    |
        | | | Web VM 1        | | Web VM 2| |Web VM 3|   |
        | | | (10.0.1.4)      | | (10.0.1.5)| (10.0.1.6)| |
        | | +--------+--------+ +--------+ +--------+    |
        | +--------------------+                       +--|
        |                                                 |
        +-------------------------------------------------+

Virtual Network (VNet) Peering, VNet Gateway, and VPN Gateway in Azure

1. VNet Peering

VNet Peering allows you to connect two Azure Virtual Networks (VNets) so that resources in one VNet can communicate with resources in another VNet. This is useful for creating a network topology that spans multiple VNets while maintaining low latency and high bandwidth between them.

Key Features:

  • Low Latency and High Bandwidth: VNet peering provides a direct connection between VNets, resulting in low latency and high throughput.
  • Resource Access: Resources in peered VNets can communicate as if they are part of the same network.
  • No Overlapping IPs: The IP address spaces of the VNets must not overlap.

Example Use Cases:

  • Connecting VNets in different regions for disaster recovery.
  • Isolating different tiers of an application across multiple VNets (e.g., web, application, and database tiers).

Diagram:

+------------+          +------------+
|   VNet A   |  Peering |   VNet B   |
| 10.0.0.0/16|<-------->| 10.1.0.0/16|
+------------+          +------------+
    |                        |
+--------+                +--------+
|  VM A  |                |  VM B  |
+--------+                +--------+

2. VNet Gateway

A VNet Gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. It can also be used to send encrypted traffic between Azure virtual networks.

Key Features:

  • Supports VPN: The VNet Gateway is used to establish a site-to-site VPN connection.
  • Supports ExpressRoute: It can also be used with ExpressRoute to create a private connection to Azure.

Example Use Cases:

  • Connecting an on-premises network to Azure via a site-to-site VPN.
  • Connecting multiple VNets through a hub-and-spoke network topology.

Diagram:

+------------+      +-------------------+      +------------+
| On-Premises|------|  VNet Gateway     |------|   Azure    |
|  Network   | VPN  |  (Site-to-Site)   | VNet |  Network   |
+------------+      +-------------------+      +------------+

3. VPN Gateway

A VPN Gateway is a specific type of virtual network gateway that sends encrypted traffic between an Azure virtual network and an on-premises location over the public Internet. It uses the IPsec and IKE protocols to provide secure communication.

Key Features:

  • Site-to-Site VPN: Connects an on-premises network to Azure.
  • Point-to-Site VPN: Allows individual clients to connect to the Azure network.
  • Secure Communication: Uses industry-standard protocols for encryption and secure communication.

Example Use Cases:

  • Establishing secure connectivity between an on-premises data center and Azure.
  • Allowing remote users to securely connect to the Azure network from anywhere.

Diagram:

+------------+          +-------------------+          +------------+
| On-Premises| Site-to- |    VPN Gateway    | Site-to- |   Azure    |
|  Network   |   Site   |  (VNet Gateway)   |   Site   |  Network   |
+------------+<-------->|                   |--------->|  (VNet)    |
                        +-------------------+          +------------+
                        | Point-to-Site VPN |
                        +-------------------+

Comparison

FeatureVNet PeeringVNet GatewayVPN Gateway
PurposeConnect VNets within AzureConnect Azure VNet to on-premises or other VNetsConnect Azure VNet to on-premises
LatencyLow latencyDepends on network connectionDepends on network connection
BandwidthHigh bandwidthDepends on gateway SKUDepends on gateway SKU
EncryptionNoYesYes
Traffic FlowDirect (private IP addresses)Encrypted over public internet or private connection (ExpressRoute)Encrypted over public internet
Use CaseIntra-Azure VNet communicationHybrid cloud scenarios, multi-VNet setupsHybrid cloud scenarios, remote user access

Summary Diagram

+-------------------------+
|       On-Premises       |
|         Network         |
+-------------------------+
          |VPN
          |
+---------v-----------+                    +------------------------+
|     VPN Gateway     | Site-to-Site VPN   |    VNet Gateway        |
| (On-Prem to Azure)  |<------------------>| (On-Prem/VNet to Azure)|
+---------------------+                    +------------------------+
          | VPN/ER                             |
          |                                     |
+---------v-----------+     VNet Peering     +--v---------------------+
|       VNet A       |<--------------------->|       VNet B           |
|  10.0.0.0/16       |                       |     10.1.0.0/16        |
+---------------------+                       +------------------------+
      |         |                                 |               |
+-----+      +--+--+                           +--+--+          +--+--+
| VM A|      | VM B|                           | VM C|          | VM D|
+-----+      +-----+                           +-----+          +-----+

Conclusion

  • VNet Peering: Best for low latency, high bandwidth communication between VNets within Azure.
  • VNet Gateway: Suitable for connecting Azure VNets to on-premises networks or other VNets using encrypted connections.
  • VPN Gateway: Ideal for secure, encrypted communication between on-premises networks and Azure, as well as for remote user access.

CIDR (Classless Inter-Domain Routing)

Classless Inter-Domain Routing (CIDR) is a method for allocating IP addresses and IP routing. Introduced in 1993, CIDR replaced the previous system based on classful addressing. CIDR allows for more efficient and flexible allocation of IP addresses than the older system.

Key Concepts of CIDR

  1. IP Address: A numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
  2. Prefix Length: Indicates the number of significant bits in the network portion of the address, written after a slash (/) following the IP address.

How CIDR Works

CIDR notation is written as an IP address followed by a slash and a number. The number represents the prefix length, which tells how many bits are used for the network portion of the address.

Example of CIDR Notation

  • 192.168.1.0/24
    • IP Address: 192.168.1.0
    • Prefix Length: /24

Steps to Understand CIDR Notation

  1. Understand IP Address Structure:
    • An IP address consists of 32 bits, divided into four octets (8 bits each).
    • Example: 192.168.1.0 in binary is 11000000.10101000.00000001.00000000.
  2. Identify Network and Host Portions:
    • The prefix length (e.g., /24) indicates the number of bits used for the network portion.
    • For 192.168.1.0/24, the first 24 bits are the network portion, and the remaining 8 bits are for hosts.
  3. Calculate the Subnet Mask:
    • The subnet mask is a 32-bit number where the network portion is represented by 1s and the host portion by 0s.
    • For /24, the subnet mask is 255.255.255.0 (in binary: 11111111.11111111.11111111.00000000).
  4. Determine the Network Address:
    • The network address is the first address in the range and is calculated by setting all the host bits to 0.
    • For 192.168.1.0/24, the network address is 192.168.1.0.
  5. Calculate the Range of IP Addresses:
    • The number of available IP addresses is determined by the number of host bits.
    • For /24, there are 8 host bits, so the range is 2^8 = 256 addresses.
    • The usable IP range is from 192.168.1.1 to 192.168.1.254 (excluding the network address 192.168.1.0 and the broadcast address 192.168.1.255).

Examples of Different CIDR Notations

Example 1: 192.168.1.0/24

  1. Binary Representation:
    • IP Address: 192.168.1.0 -> 11000000.10101000.00000001.00000000
    • Subnet Mask: /24 -> 11111111.11111111.11111111.00000000
  2. Network Address: 192.168.1.0
  3. Usable IP Range: 192.168.1.1 to 192.168.1.254
  4. Broadcast Address: 192.168.1.255

Example 2: 10.0.0.0/8

  1. Binary Representation:
    • IP Address: 10.0.0.0 -> 00001010.00000000.00000000.00000000
    • Subnet Mask: /8 -> 11111111.00000000.00000000.00000000
  2. Network Address: 10.0.0.0
  3. Usable IP Range: 10.0.0.1 to 10.255.255.254
  4. Broadcast Address: 10.255.255.255

Advantages of CIDR

  1. Efficient IP Address Allocation: CIDR allows for more flexible allocation of IP addresses than the old classful system.
  2. Reduced Number of Routing Table Entries: Aggregates multiple IP addresses into a single entry, reducing the size of routing tables.
  3. Prevents IP Address Exhaustion: Helps in conserving the IPv4 address space by allowing variable-length subnet masking.

Summary Diagram

Below is a simplified representation of how CIDR notation works with 192.168.1.0/24:

IP Address:     192.168.1.0
                11000000.10101000.00000001.00000000

Subnet Mask:    255.255.255.0 (/24)
                11111111.11111111.11111111.00000000

Network Portion:|  Network  | | Host  |
                192.168.1.0  to  192.168.1.255
                |  Usable IP Range: 192.168.1.1 to 192.168.1.254 |

Detailed Example Step-by-Step

  1. Understanding the IP Address:
    • IP: 192.168.1.0
    • Binary: 11000000.10101000.00000001.00000000
  2. Identifying Network and Host Portions:
    • Prefix Length: /24 (24 bits for network, 8 bits for hosts)
    • Subnet Mask: 255.255.255.0 (Binary: 11111111.11111111.11111111.00000000)
  3. Calculating Network Address:
    • Network Address: 192.168.1.0 (Host bits set to 0)
  4. Determining Usable IP Range:
    • Usable Range: 192.168.1.1 to 192.168.1.254
  5. Broadcast Address:
    • Broadcast Address: 192.168.1.255 (Host bits set to 1)

Azure Networking Simplified

Virtual Network (VNet):

  • A VNet in Azure is a private network that securely connects Azure resources and can extend to on-premises networks.
  • Key Features:
    • Isolation: Segregates resources and controls traffic.
    • Subnetting: Divides the VNet into subnets for organization and traffic management.
    • Address Space: Defined using CIDR notation to specify IP address ranges.

Subnets and CIDR:

  • Subnets: Subdivisions of a VNet for better organization and traffic control.
  • CIDR (Classless Inter-Domain Routing): Represents IP addresses and their routing prefix, defining the IP range.

Routes and Route Tables:

  • Routes: Dictate how network traffic is directed.
  • Route Tables: Collections of routes linked to subnets, allowing custom routing.

Network Security Groups (NSGs):

  • NSGs filter inbound and outbound traffic.
  • Key Aspects:
    • Rules: Define allowed/denied traffic based on source, destination, port, and protocol.
    • Default Rules: Predefined rules for controlling traffic within the VNet.
    • Association: Can be linked to subnets or individual network interfaces.

Application Security Groups (ASGs):

  • Group VMs by application requirements to simplify network security.
  • Key Aspects:
    • Simplification: Define rules based on application roles.
    • Dynamic Membership: Supports tags and attributes.
    • Rule Association: Security rules can be applied to ASGs.

Azure Application Gateway & WAF:

  • Application Gateway: Manages and routes web traffic with load balancing and SSL termination.
  • Web Application Firewall (WAF): Protects against web vulnerabilities.

Azure Load Balancer:

  • Distributes network traffic across multiple servers for high availability.
  • Key Features:
    • Load Balancing Algorithms: Uses round-robin, least connections, etc.
    • Availability Sets: Ensures high availability.
    • Inbound and Outbound Traffic: Balances both types of traffic.

Azure DNS:

  • Hosts domain names and provides name resolution within Azure.
  • Key Features:
    • Domain Hosting: Scalable and secure.
    • Integration: Works with Azure services.
    • Global Availability: Offers low-latency responses worldwide.

Azure Firewall:

  • A managed network security service protecting Azure VNet resources.
  • Key Features:
    • Stateful Firewall: Supports stateful inspection.
    • Application FQDN Filtering: Filters traffic by domain names.
    • Threat Intelligence Integration: Uses threat intelligence feeds.

Virtual Network Peering and VNet Gateway:

  • Virtual Network Peering: Connects VNets for direct communication.
    • Key Features: Global peering and transitive routing.
  • VNet Gateway: Secure communication between on-premises networks and Azure VNets.
    • Key Features: Site-to-Site VPN and Point-to-Site VPN.

VPN Gateway:

  • Provides secure connectivity between on-premises networks and Azure.
  • Key Features:
    • IPsec/IKE VPN Protocols: Secure communication.
    • High Availability: Supports active-active and active-passive configurations.
    • BGP Support: Enables dynamic routing.
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x