Azure Container Networking: Virtual Networks

Virtual Networks for Containers

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It allows you to create a dedicated, isolated network for your Azure resources, including containers. Integrating your container workloads with VNets provides enhanced security, custom network configurations, and seamless integration with other Azure services.

Why Use Virtual Networks with Containers?

Network Isolation: Keep your containerized applications isolated from public networks and other tenants.
Private IP Addressing: Assign private IP addresses to your containers and services, allowing them to communicate securely within the VNet.
Custom Routing: Define custom routes and network security groups (NSGs) to control traffic flow and enforce security policies.
Hybrid Connectivity: Seamlessly connect your on-premises networks to your Azure container environment using VPN Gateway or ExpressRoute.
Service Integration: Integrate with other Azure PaaS and IaaS services that require network connectivity, such as Azure SQL Database or Azure File Storage.

Integration Scenarios

Azure offers several ways to integrate container services with Virtual Networks:

Azure Kubernetes Service (AKS)

AKS provides robust VNet integration. You can choose to deploy your AKS cluster nodes into an existing VNet or have AKS create one for you. This allows your pods to get IP addresses directly from the VNet subnet, enabling:

Pod-to-pod communication within the VNet without NAT.
Direct VNet peering for cross-cluster communication.
Integration with Azure Load Balancer for exposing services.
Network Policies for fine-grained traffic control between pods.

You can configure network plugins like Azure CNI for direct VNet integration.

Azure Container Instances (ACI)

ACI allows you to deploy containers without managing underlying infrastructure. For VNet integration with ACI, you can use virtual network integration to deploy your container groups into an Azure Virtual Network. This enables your containers to access resources within the VNet and be accessed by other resources in the VNet.

Azure Container Apps

Azure Container Apps is a managed service that simplifies the deployment and scaling of microservices and containerized applications. It has built-in networking capabilities, and when deployed into a VNet, it leverages the VNet's IP address space for enhanced network control and integration.

Key Networking Components

Subnets: Divide your VNet into smaller IP address ranges.
Network Security Groups (NSGs): Act as a virtual firewall to filter network traffic to and from Azure resources in an Azure virtual network.
Azure Load Balancer: Distribute incoming traffic across multiple instances of your containerized applications.
Application Gateway: A managed web traffic load balancer that enables you to manage traffic to your web applications.
Service Discovery: Mechanisms for containers to find and communicate with each other.

Important: Properly planning your VNet IP address space and subnet allocation is crucial before deploying container workloads. Ensure you have enough IP addresses for your pods, services, and any other Azure resources that will reside in the VNet.

Next Steps

Explore how to configure VNet integration for your specific container service: