One of the first tasks you have when moving to the cloud is to replicate your current network into Azure. Setting up networks will usually be the first step in any deployment. Without a network you will be unable to correctly setup other resources such as Virtual machines.
Virtual Networks (VNets)
In Azure, a VNet is a representation of your own network, but in the cloud. Conceptually VNets are the same as any office or home network, however VNets in Azure are software-defined networks built on physical network infrastructure.
Setting up VNets should be carefully planned. Once a network has been created it’s very difficult to modify a network, especially when resources have already been connected and in production.
So plan your network address spaces, and each subnet well before you create them in Azure to save yourself from any problems down the line.
When you create a Virtual Network (Azure > Virtual Networks > Add) you will have to specify the Virtual Network name, address space, resource group, location and subnet details. When you first create a VNet you must specify at least one subnet on creation.
Once created you will be able to open the network from the virtual networks blade and you will see numerous options down the left.
Subnets are child resources of VNets, they define specific segments within a virtual network to be used for different workloads and provide isolation of network traffic.
When you create a VNet you must specify at least one subnet. You can then add more subnets from the ‘Virtual Networks’ blade. Once a name has been given to a subnet, it cannot be changed. The name must also be unique within the VNet.
Cloudy Tip: Once you have connected devices to a subnet, you will no longer be able to make changes to address ranges. If you did need to modify the subnet, you would first have to delete it then re-create. You can only delete subnets which contain no connections.
Azure will reserve some addresses in the subnet, the first usable and assignable address in the 192.168.1.0 subnet would be 192.168.1.4.
When you go to create a subnet in the subnets blade, you will notice another subnet type that you can add. Gateway Subnet is a subnet that will be used specifically for VPN connections and will be covered later in this post.
Network Security Groups
Traffic routing and security is an important part of any network, traditionally this would be done using a firewall or a filter placed on network appliances. However, in Azure you have the ability to use Network Security Groups. NSGs allow you to filter traffic and set rules to allow or disallow packets sent to specific ports inbound or outbound. For each rule, you can specify source and destination, port, and protocol.
Azure has a set of default rules it creates whenever you create a NSG, shown below.
Cloudy Tip: NSGs can be applied to subnets, NICs or both. NSGs applied to subnets will enforce their inbound and outbound rules to all NICs that are connected to the subnet. If rules are applied to both subnets and a NIC for inbound it will apply rules to VNets first then any NIC rules, for Outbound it’s the NIC first then VNets.
NSG rules are enforced based on their priority. Priority values start from 100 and go to 4096. Rules will be read and enforced starting with 100, then working its way up. The default rules shown above also show the Priority numbers.
All Azure VMs connected to a VNet will have internet connectivity set by default. You can also enable specific inbound access via a NSG.
Azure resources such as VMs can be connected to each other even if they are in different subnets. Azure provides system routes between subnets, VNets, and on-premises networks, so you don’t have to configure and manage routes. More on routes later.
VNets can be connected together, enabling VMs to connect to a VM on any other VNet. This can done via peering or ‘VNet-to-VNet’ VPN via a VPN gateway.
Peering is used to connect two VNets together across the Azure backbone keeping traffic private without any data going out the internet. A VPN gateway is not needed for this method. VNet peeing is used to connect VNets in the same region, however it is possible to Peer VNets across Azure regions, this is called Global Peering. An advantage to Peering is it has low-latency and High bandwidth which remains constant and predictable.
As stated above, another method of connecting VNets is via a VNet-to-VNet VPN connection using a VPN gateway and IPsec. This is similar to setting up S2S VPN connections which is covered in the next chapter.
VPN & Gateway
Any company that has user’s working remotely or servers located on-premises will need to utilize Azure VPN Connections. They work in the same way as any other VPN connection, they allow a client to connect to a remote network quickly and securely. Hybrid environments are very common, especially when companies first adopt Azure as it is unlikely they will move everything to Azure in one go. Therefore the creation of VPN connections is vital to most Azure environments.
VPN Gateway: Most of the VPN types in Azure use a VPN Gateway, the gateway ensures traffic is sent encrypted between Azure and another network either on-premises or another VNet within Azure. As mentioned earlier in the subnet section, every gateway needs its own dedicated subnet on a network. VPN gateways can be configured using different SKUs, each SKU has a bandwidth limit and also a different cost.
Cloudy Tip: Each VNet can only have one gateway and you should not deploy additional resources into the gateway subnet.
Azure offers different types of VPN Connections, depending on your needs:
Site-to-Site (S2S) connections: S2S connections provide secure connectivity between on-premises and Azure. This type of connection is best used to connect sites to each other, it would never be used to connect a single user to a network. S2S connections use local gateways, A VPN appliance locally, a pre-shared key to authenticate and IPsec IKE as its security protocols.
Point-to-Site (P2S) connections: P2S are used to connect individual clients to your VNet. The connection is always started from the client machine and is most useful for companies that have remote workers. P2S connections uses Certificates or Active Directory to authenticate, a VPN client and SSTP or IKE as its security protocols.
VNet-to-VNet VPN: V2V connections are very similar to S2S in the setup and configuration, they are used to connect multiple VNets together within Azure instead of connecting Azure to on-premises. The difference it has over S2S is the way the local gateway is configured and it’s typically quicker and easier than a S2S connection to setup.
ExpressRoute: ExpressRoute allows you to connect sites via a VPN connection, unlike the other methods this methods uses a private connection instead of traversing the internet. The problem with sending traffic over the internet is that it is unpredictable, however using a private line is more predictable, faster, more secure and offers lower latency.
DNS services and the ability to provide name resolution is vital to any network or environment. Azure offers its own DNS service. Azure DNS uses ARM so it can be used using the portal or commands, it can be secured using Roles and it is billed along with your other Azure resources.
As with a traditional DNS, you can add Zones and records to Azure DNS, you can also create Private Zones so your Azure resources can resolve FQDNs of other resources without being visible externally to the internet.
DNS domains are hosted on Azures network of DNS servers. The server’s use Anycast Networking, meaning the queries are always answered by the closest DNS server.
Billing for DNS is based on the number of zones, not the number of records.
High availability is a must for any Cloud, Hybrid or traditional on-premises environment. Azure provides a load balancer which should help admins ensure high availability of a service.
The Azure Load Balancer supports inbound and outbound traffic, Provides low latency and high throughput. The Balancer uses backend pools to flow traffic from the frontend to the backend, health probes can be used to check the health of any service in the back end pool.
Azure load balancer is available in two SKUs: Basic or standard, they offer different features depending what it is you need.
Please see below for further reading from the Official Microsoft Documents:
This post is not a definitive list of all the services and functionality Azure Networking offers. This is simple an introduction, further articles will be written to cover other services in more detail such as routes and VPN.