A virtual network in Azure is similar to the network that we have in our on-premises environment, helping us connect different resources. The azure network helps us connect virtual machines (VMs), create a connected system as a part of a FARMs so that they can communicate with each other, and talk to the on-premises systems as well in special connected scenarios.
Each Azure subscription can have multiple Azure regions, and each Azure region can have one or more virtual networks. Virtual networks, therefore, are isolated from other virtual networks even when they are in the same region.
Virtual networks –
- Have their own private address space as defined during their creation
- Can have one or more subnets with their own address space allocated, which is one part of the main address space of the vNet.
With the provision of the virtual network, Azure provides its own name resolution using the Azure DNS. There is additionally an option to configure our own DNS server if we have our own domain name. The resources thus created, can use the configured domain name.
Understanding Frequently Used Terms in Virtual Networks
Subnets – Subnets provide separation of concern within virtual networks, and the resources within virtual networks can be grouped together into different subnets depending on requirements. Some of the resources require their own dedicated subnets like an application gateway.
Network Security Groups (NSG) – An NSG is a part of the virtual network inside the resource group, which has a set of rules defined for managing the inbound and the outbound traffic to and from the Virtual Machines.
The NSGs can be assigned to either the NICs or to the Subnets. If the NSG is assigned to a NIC, only a single VM to which the NIC is allocated gets affected. On the other hand, if the NSG is assigned to a Subnet, all the VMs within the subnet will follow the same rule.
Every rule defined in the NSG has a priority assigned. There are some default/predefined rules set, which cannot be deleted, but their rules have the highest priority value set, i.e., they have the lowest priority, and can be overridden.
Network Interfaces (NICs) – It allows the connectivity between Azure Virtual Machine and the vNet, enabling the VM to communicate with internal and external resources over the network.
One virtual machine can have more than one network interface depending upon the size of the VM opted for.
IP Address – IP addresses are assigned to resources to communicate with each other within and outside Azure. We can also connect to our on-premises network as well as the internet. There are two types of IP addresses in Azure:
- Public IP addresses: These IP addresses are used for communications over the internet, and also with the public facing Azure services.
The Azure Public IP address is created with either –
- Basic SKU
They can be assigned with either the static or the dynamic allocation method. Network security groups are recommended but optional for restricting inbound or outbound traffic. IP addresses under Basic SKU are not zone redundant
- Standard SKU
They can be assigned only with the static allocation method. When using the standard SKU, we must explicitly whitelist the inbound traffic, which needs to be allowed by configuring the IP addresses, ports, protocols, etc. This SKU is zone redundant.The Public IP addresses can be assigned to-
- Virtual Machines
- External/Internet facing Load Balancers (Layer 3 Load Balancing)
- VPN Gateways (P2S and S2S Connectivity)
- Application Gateways (Layer 7 Load Balancing)
- Basic SKU
- Private IP addresses: The private IP addresses, on the other hand, are used for communication within an Azure vNet. These IP addresses also allow communication with your on-premises network, when a VPN gateway or ExpressRoute is established with the on-premises network.The Private IP addresses can be assigned to –
- Virtual Machines
- Internal Load Balancers (Layer 3 LBs)
- Application Gateways (Layer 7 LBs)
VPN Gateways – The VPN Gateway will help connecting networks, such as – Azure vNet to another Azure vNet. It also helps in connecting Azure vNet to the on-premises network. They are created in a separately dedicated subnet. As per the Microsoft docs, only dynamic basic SKU IP address can be assigned to the VPN Gateway.
Application Gateway – Application gateways are layer 7 load balancers. For application gateways as well, only dynamic basic IP is required. The traditional load balancer operates at the transport layer (Layer 4, which is TCP and USP), whereas, the application gateway is more specific and routes traffic based on the URL. They are always within the virtual network
There are two SKUs for application gateway, which are:
Provides all the features of layer 7 load balancer
- Web Application Firewall (WAF)
Provides centralized protection for the web applications to save from common attacks and vulnerabilities in addition to everything under Standard SKU
Load Balancers – Azure Load Balancer is layer 4 load balancers operating at TCP and UDP levels and deliver high availability and performance for the applications.
The load balancer maps the traffic between the incoming IP address and port to the private IP address and port of the Virtual Machine.
Traffic Manager – Traffic Manager is another point of interest. They are the DNS-based load balancer, which enables the distribution of traffic optimally to services across different Azure regions, and also providing high availability and performance.
Traffic Manager helps in directing the traffic to the nearest service endpoint using the DNS based on a traffic-routing method and health of the endpoints, which is continuously probes.