Azure Virtual Network (VNet)
Azure Virtual Network (VNet) is the foundational building block for your private network in Azure. It enables many types of Azure resources, such as Azure Virtual Machines (VMs), to securely communicate with each other, the internet, and on-premises networks. VNet provides the same benefits of a traditional on-premises network, such as:
- Network Isolation: Resources within a VNet are isolated from resources in other VNets, unless explicitly connected.
- Security: You can control network traffic flow with security groups and network security rules.
- Connectivity: Seamlessly connect to on-premises networks and other Azure VNets.
- Scalability: Easily scale your network infrastructure as your needs grow.
Key Concepts
Subnets
A subnet is a range of IP addresses within a VNet. You can segment a VNet into smaller subnets, each with its own range of IP addresses. This allows you to group resources logically and apply specific security policies to each subnet. All resources deployed within a subnet share the same IP address space.
Note: It's a best practice to plan your IP address space and subnets carefully before deploying resources to ensure scalability and avoid IP address conflicts.
IP Addressing
VNets use private IP address spaces defined by RFC 1918. You can assign public or private IP addresses to resources within your VNet. Private IP addresses are only routable within the VNet and its connected networks. Public IP addresses allow resources to communicate directly with the internet.
Network Security Groups (NSGs)
NSGs are network access control lists that contain a list of security rules to allow or deny network traffic to Azure resources connected to an Azure Virtual Network. You can associate NSGs with subnets or individual network interfaces (NICs) of VMs.
Tip: Use NSGs to implement micro-segmentation, allowing fine-grained control over traffic flow between resources.
Route Tables
Route tables allow you to override Azure's default system routes. By creating custom routes, you can direct network traffic to specific network virtual appliances (NVAs) like firewalls or routers, or to specific subnets.
Scenarios and Architectures
Basic VNet Setup
This is the simplest VNet configuration, typically used for isolating a few resources. It involves creating a VNet, defining an IP address space, and creating one or more subnets.
Diagram illustrating a basic Azure Virtual Network with subnets.
Connecting VNets (VNet Peering)
VNet peering enables you to connect two Azure VNets privately through the Azure backbone network. Once peered, resources in both VNets can communicate with each other as if they were within the same network. VNet peering is non-transitive.
Benefits of VNet Peering:
- Low Latency: Traffic between peered VNets travels over the Azure backbone network.
- High Bandwidth: Enjoy significant bandwidth for inter-VNet communication.
- No Downtime: Peering is established without any downtime for resources in the VNets.
- Security: Traffic remains within the Azure network and is not exposed to the public internet.
Key Considerations for VNet Peering:
- IP Address Space Overlap: The address spaces of peered VNets must not overlap.
- Non-Transitivity: If VNet A is peered with VNet B, and VNet B is peered with VNet C, VNet A cannot communicate with VNet C directly through VNet B. You would need to peer VNet A with VNet C as well.
- Gateway Transit: By default, peered VNets do not use the gateway of the remote VNet for transit. You can enable this by allowing gateway transit on the remote VNet.
Hybrid Connectivity (VPN Gateway & ExpressRoute)
To connect your on-premises network to Azure, you can use:
- VPN Gateway: Provides an encrypted tunnel over the public internet for secure site-to-site connectivity.
- ExpressRoute: Offers a private, dedicated connection between your on-premises infrastructure and Azure, providing higher bandwidth, lower latency, and increased reliability.
Warning: Ensure your IP address ranges are carefully planned to avoid conflicts when setting up hybrid connectivity.
Best Practices
- Plan your VNet and subnet IP addressing scheme upfront.
- Utilize Network Security Groups (NSGs) for traffic filtering.
- Leverage route tables for advanced traffic management.
- Use VNet peering for inter-VNet communication within Azure.
- Implement hybrid connectivity solutions for on-premises integration.
- Regularly review and audit your network security configurations.