Azure Virtual Network (VNet) Documentation

Understanding Azure Virtual Network (VNet)

Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. It enables many types of Azure resources, such as Azure Virtual Machines (VMs), to securely communicate with each other, with the internet, and with your on-premises networks. VNet is a representation of your own network in the cloud.

Key benefits of using Azure VNet include:

Isolation and Segmentation: Securely isolate your resources and segment network traffic.
Communication: Facilitate communication between Azure resources, between on-premises and Azure resources, and to the internet.
Traffic Filtering: Control inbound and outbound traffic to and from your resources.
Routing: Define custom routes to control how traffic flows.
Connectivity: Connect to other VNets or on-premises networks.

Core Concepts

IP Addressing

Each VNet is associated with an IP address space defined by RFC 1918. You can choose a private IP address range that fits your needs, with the ability to add multiple address spaces later. This flexibility allows for seamless integration with your on-premises networks.

Subnets

A VNet is divided into subnets. Each subnet is a range of IP addresses within the VNet's address space. You can then assign Azure resources to these subnets. Subnetting is crucial for network organization, security segmentation, and IP address management.

Network Interfaces (NICs)

When you deploy resources like Azure VMs, they are connected to your VNet via Network Interfaces (NICs). Each NIC is assigned a private IP address from a subnet within the VNet.

Subnetting Strategies

Effective subnetting is key to a well-designed VNet. Consider the following when planning your subnets:

Resource Grouping: Group resources that require similar network access or security policies into the same subnet.
Security Boundaries: Create separate subnets for different tiers of your application (e.g., web, application, database) to enforce stricter security controls.
IP Address Management: Allocate IP address ranges that are sufficient for your current needs and future growth.

Example Subnetting

Consider a VNet with an address space of 10.0.0.0/16. You might divide it as follows:

    Subnet Name        | Address Range | Purpose
    -------------------|---------------|-----------------------------
    GatewaySubnet      | 10.0.0.0/27   | For Azure VPN Gateway
    WebServersSubnet   | 10.0.0.32/24  | For web server VMs
    AppServersSubnet   | 10.0.1.0/24   | For application server VMs
    DatabaseSubnet     | 10.0.2.0/24   | For database servers
    LoadBalancerSubnet | 10.0.3.0/27   | For Azure Load Balancer
                

Note: The GatewaySubnet is a reserved subnet specifically for Azure VPN Gateway and must be named precisely.

VNet Security Features

Azure VNet offers robust security capabilities to protect your resources:

Network Security Groups (NSGs)

NSGs act as a stateless packet filter for network traffic. You can associate NSGs with subnets or individual NICs to define inbound and outbound security rules, controlling traffic flow.

Example NSG Rule:

    Priority: 100
    Source: Any
    Destination: Any
    Protocol: TCP
    Source Port Range: *
    Destination Port Range: 80, 443
    Access: Allow
    Name: AllowHTTP_HTTPS
                

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your VNet resources. It provides threat intelligence-based filtering, application-level filtering, and network-level filtering.

Service Endpoints and Private Endpoints

Service endpoints allow you to securely and directly connect your VNet to supported Azure services (like Azure Storage or Azure SQL Database) over an optimized Azure backbone network. Private endpoints bring Azure PaaS services into your VNet with a private IP address.

Connecting VNets and Networks

VNet Peering

VNet peering connects two or more VNets, allowing resources in each VNet to communicate with each other as if they were within the same network. Traffic between peered VNets travels through the Microsoft backbone network, not the public internet.

VPN Gateway

Azure VPN Gateway allows you to send encrypted traffic between your on-premises data center and Azure VNet over the public internet. This provides a secure site-to-site connectivity solution.

ExpressRoute

For private, high-bandwidth, low-latency connections, Azure ExpressRoute offers direct private connections from on-premises infrastructure to Azure. It bypasses the public internet.

Monitoring VNet Traffic

Azure VNet provides several tools for monitoring network traffic and performance:

Network Watcher: A comprehensive suite of tools for monitoring, diagnosing, and viewing metrics for your Azure network. Features include IP flow verify, connection troubleshoot, packet capture, and flow logs.
VNet Flow Logs: Capture information about IP traffic flowing to and from network interfaces in your VNet.
Azure Monitor: A broad solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.